Features Introduced in May 2021
New Features Introduced in 21.5.2
New Features
FEATURE | DESCRIPTION |
---|---|
Alarm Center | Prisma Cloud generates health notifications
called Alarms that display system-level issues and errors
that have occurred in Integrations status and Cloud Accounts status.You
can enable Alarms on the Settings Enterprise Settings The Alarm
Center displays the alarms, which you can
review and take necessary action to rectify the error or issue.![]() |
Support for shared S3 Bucket for AWS
CloudTrail Event Logs | To support scenarios where you do not store
AWS CloudTrail event logs within the same S3 bucket that you are
onboarding to Prisma Cloud for Data Security scanning, you now can
specify a central or shared S3 bucket that
stores your AWS CloudTrail event logs. |
Support for Event Attribution on Google
Cloud Platform | For GCP resources that are being monitored
on Prisma Cloud, you can now view events related to the resource
(audit trail) on the Resource Explorer. This capability is available
for AWS and Azure. ![]() |
API Ingestion | AWS WAF aws-waf-classic-web-acl-resource Additional
permissions required:
aws-waf-v2-web-acl-resource Additional
permissions required:
|
Google Binary Authorization gcloud-binary-authorization-policy Additional
permissions required:
The
permissions are included in the Project Viewer role. | |
Update Prisma Cloud CLI | The Prisma Cloud CLI is no longer supported. |
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
---|---|
New Policies | AWS Elastic IP not in use —Identifies
unused Elastic IP (EIP) addresses in your AWS account.Any
EIP in your AWS account adds charges to your monthly bill even if
it is not associated with any resources. It is recommended to remove
EIPs that are not associated with any resources.
|
AWS SNS topic not configured
with secure data transport policy —Identifies AWS SNS
topics that are not configured with a secure data transport policy.AWS
SNS topics should enforce encryption of data in transit using Secure
Sockets Layer (SSL). It is recommended to add an SNS policy that
explicitly denies publish access from anybody who browses to Amazon
SNS topics if they are not accessed through HTTPS.
| |
AWS SNS topic with cross-account
access —Identifies AWS SNS topics that are configured
with cross-account access.Allowing unknown cross-account
access to your SNS topics will enable other accounts to gain control
over your AWS SNS topics. To prevent unknown cross-account access,
allow only trusted entities to access your Amazon SNS topics by
implementing the appropriate SNS policies.
| |
Azure Storage account containing
VHD OS disk is not encrypted with CMK —Checks for Azure
Storage accounts containing VHD OS disk that are not encrypted with
CMK.This policy is mapped to CIS Azure 1.3.0 section 7.7
compliance standard. It is recommended to use Customer Managed Keys
to encrypt data in Azure Storage accounts for better data control. Impact —Alerts
generated for all Azure Storage accounts which have VHD OS disk
and are not encrypted with CMK.
| |
Azure Activity log alert for
Delete policy assignment does not exist —Checks for Azure
accounts in which activity log alert for Delete policy assignment
does not exist.This policy is mapped to CIS Azure 1.3.0 section
5.2.2 compliance standard. Impact —Alerts generated
for all Azure accounts where activity log alert for Delete policy
assignment does not exist.
| |
Azure Monitor Diagnostic Setting
does not captures appropriate categories —Checks for
Azure accounts in which Monitor Diagnostic Setting does not captures
appropriate categories.This policy is mapped to CIS Azure
1.3.0 section 5.1.2 compliance standard. Impact —Alerts
generated for all Azure accounts where Monitor Diagnostic Setting
does not captures appropriate categories.
| |
OCI users Auth Tokens aged more than
90 days —Identifies user authentication tokens on the OCI platform
that have not been rotated in more than 90 days.As a best
practice, rotate the authentication tokens on a regular basis to
protect access directly, via SDKs, or OCI CLI.
| |
OCI users customer secret keys have aged
more than 90 days without being rotated —Identifies customer
secret keys on the OCI platform that have not been rotated in more
than 90 days.As a best practice, rotate customer secret keys
on a regular basis to protect access directly, via SDKs, or OCI
CLI.
| |
Policy Updates—RQL and Metadata | AWS Customer Master Key (CMK)
rotation is not enabled to exclude inactive keysThe
RQL has been updated with an additional key state check to improve
the accuracy of alerts. The description and recommendation have
also been updated to maintain a consistent format across all policies. Impact —The
previous alerts generated for disabled KMS keys will be resolved
as Policy_Updated. |
Add extra status check for AWS
EC2 instances with Public IP and associated with Security Groups
have Internet Access The RQL has been updated
with an extra state check to improve the accuracy of alerts, and
the RQL has been optimized using the new nested array grammar. Impact —The
previous alerts raised for non-running EC2 instances will be resolved
as Policy_Updated. | |
AWS SQS server side encryption
not enabled The policy description has been updated
to maintain a consistent format across all policies and the recommendation
has been updated as per recent AWS UI changes. Impact —None.AWS
CloudFormation stack configured without SNS topic The
recommendation has been updated as per recent AWS UI changes. Impact —None. | |
GCP SQL database instance is
not configured with automated backups The policy
is now modified to exclude ON_PREMISES_INSTANCE and READ_REPLICA_INSTANCE
of SQL instances. Impact —The RQL modification resolves
the false positives for ON_PREMISES_INSTANCE and READ_REPLICA_INSTANCE
as Policy_Updated. There will be a decrease in the number of alerts
generated. | |
AWS IAM Groups with Administrator
Access Permissions extra whitespaceThe extra
space at the end of the 'AWS IAM Groups with Administrator Access
Permissions' policy is removed. Impact —None. | |
GCP VM instances have block project-wide
SSH keys feature disabled Remediation CLI is added
for this policy. Additional permissions required:
Impact —None. | |
Two anomaly.type attributes renamed The
names have been changed for the following two event query attributes:
| |
Updated Audit Logs information
for Anomaly Settings changes The information displayed
in the UI is updated for the following audit logs generated by anomaly
settings changes:
Impact —None.Old
log information ![]() New
log information ![]() | |
Update RQL for VM instance policies The
RQL is modified for the following policies:
|
REST API Updates
CHANGE | DESCRIPTION |
---|---|
New location for the Prisma Cloud API Reference | The Prisma Cloud API Reference is
available at a new URL: https://prisma.pan.dev/api/cloud/cspm/cspm-api.
If you’ve save the old URL as a Favorite or Bookmark, please update
it. |
Enterprise Settings APIs | The response object for the following endpoint
includes a new attribute, alarmEnabled :
|
New Features Introduced in 21.5.1
New Features
FEATURE | DESCRIPTION |
---|---|
Anomaly Settings Updates | When you modify the alert disposition or
training model thresholds for Anomaly policies, an audit log is
generated to record who made the configuration change and when,
to help you track and monitor changes. For User & Entity
Behavior Analytics (UEBA) policies, when you modify the alert disposition
or training model thresholds, the updated settings are applicable
for new alerts. Existing alerts generated using the previous setting
remain as-is, and are not marked as Resolved . With
this change, UEBA and Network Anomaly policies are consistent in
how anomaly settings changes are processed on Prisma Cloud. ![]() |
Integration with Azure Sentinel | You can now forward Prisma Cloud alerts
to Azure Sentinel using HTTP-triggered
Logic App workflow and Webhook integration. ![]() |
Centralized Scan Settings for Data Security | To help you gauge the volume of data in
an S3 bucket and how you have opted to enable scanning, use the
updated Settings Data Scan Settings The page enables
you to select the S3 buckets for the onboarded cloud accounts and
modify the scan settings to perform Forward & Backward or Forward-scan
only. When enabling the scan, you can also review an estimate of
the Prisma Cloud credits that will be used for the selected S3 buckets. You
must use the updated AWS CFT to onboard a cloud account to view
bucket size estimates. For already onboarded cloud accounts, the bucket
size estimation will not be available. The new table
view displays an estimate of the total data in the S3 bucket, and
the volume of data eligible for sensitive data scanning, malware scanning,
or both based on the supported file types and file size. ![]() |
Alerts
2.0 | Prisma Cloud is rolling out a new alert
subsystem. To help you identify if you are on version 2.0, on the Alerts Overview Version: 2 label displays
on the top right above the Search box. With
version 2.0, the following changes will take effect:
|
Update OCI IAM | The oci-iam-user API
have been modified to ingest the ListCustomerSecretKeys and ListAuthTokens REST
APIs. These additional APIs are ingested using the permissions
in the USER_READ role. |
Update Permission in the AWS
CFT | The AWS CFTs that enable you add cloud accounts
to Prisma Cloud now includes additional permissions to support the
Inventory Configuration for S3 buckets. This inventory list file
contains the objects and metadata for the objects in the S3 bucket.
|
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
---|---|
New Policies | AWS ECS cluster not configured with
active services Identifies ECS clusters that are not
configured with active services. ECS service enables you to run
and maintain a specified number of instances of a task definition
simultaneously in an Amazon ECS cluster. It is recommended to remove
Idle ECS clusters to reduce the container attack surface or create
new services for the reported ECS cluster.
|
AWS ECS cluster not configured with
a registered instance Identifies ECS clusters that
are not configured with a registered instance. The ECS container
instance is an Amazon EC2 instance that is running the Amazon ECS
container agent, and has been registered into an Amazon ECS cluster.
It is recommended to remove idle ECS clusters to reduce the container attack
surface or to register a new instance for the reported ECS cluster.
| |
AWS Amazon Machine Image (AMI) infected
with mining malware Identifies Amazon Machine Images
(AMIs) that are infected with mining malware. Research showed that
an AMI Windows 2008 was hosted by an unverified vendor and contained
malicious code running an unidentified crypto miner (Monero). It
is recommended to delete such AMIs to protect from malicious activity
and attacks.
| |
AWS SNS topic is exposed to unauthorized
access Identifies AWS SNS topics that are exposed
to unauthorized access. Amazon Simple Notification Service (Amazon
SNS) is a web service that coordinates and manages the delivery
or sending of messages to subscribing endpoints or clients. To protect
these messages from attackers and unauthorized access, permissions
should be given to only authorized users.
| |
Azure Security Center Defender set
to Off for Container Registries Checks Azure Security
Center and determines if the Defender setting for Container Registries
is set to Off . This could impact alerts being
generated for all Azure Security Center where the Defender setting
is Off for Container Registries. This policy is mapped to CIS Azure
1.3.0 section 2.7 compliance standard.
| |
Azure Security Center Defender set
to Off for SQL servers on machines Checks Azure Security
Center and determines if the Defender setting for SQL servers on
machines is set to Off . This could impact
alerts being generated for all Azure Security Center where the Defender
setting on machines is set to Off for SQL
servers. This policy is mapped to CIS Azure 1.3.0 section 2.4 compliance
standard.
| |
Anomalous Compute Provisioning Activity The
new Anomaly policy detects unusual activity related to the provisioning
of compute resources such as high number of instances being brought
up, the provisioning activity originating from TOR nodes or from
multiple distant locations in a short duration of time. This behavior
typically indicates the creation of an unauthorized network of compute
instances for cryptojacking. | |
Policy Updates | AWS IAM policy allows assume role
permission across all services The RQL is updated
to exclude unattached policies from reporting and is modified as
follows:
Impact —Existing
alerts generated for unattached policies will be resolved as Policy_Updated. |
Azure Load Balancer diagnostics
logs are disabled The policy recommendation has been
updated because the steps for Azure Load Balancer with Basic SKU
was missing. Impact —No impact on existing alerts. | |
GCP Projects have OS Login Disabled The
policy RQL is modified as follows:
Impact —This
updates the accuracy of alerts and reduces the number of alerts
that are generated. | |
GCP Firewall rules allow inbound
traffic from anywhere with no target tags set The
policy RQL is modified to escape Deny rules
because the policy was giving false positives due to the policy
RQL not being set to check if the GCP is an Allow or
a Deny rule.The policy RQL is modified
as follows:
Impact —The
update is going to resolve false positive alerts and therefore reduce
the number of alerts being generated. |
REST API Updates
CHANGE | DESCRIPTION |
---|---|
New Data Security APIs | The following new Data Security APIs are
available:
|
Account Group API update | A successful POST /cloud/group request
to create an account group now returns the created account group. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.