1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Features Introduced in 2021
    7. Features Introduced in May 2021

    Features Introduced in May 2021

    New Features

    FEATURE
    DESCRIPTION
    Alarm Center
    Prisma Cloud generates health notifications called
    Alarms
     that display system-level issues and errors that have occurred in Integrations status and Cloud Accounts status.
    You can enable Alarms on the
    Settings
    Enterprise Settings
     page.
    The
    Alarm Center
     displays the alarms, which you can review and take necessary action to rectify the error or issue.
    Support for shared S3 Bucket for AWS CloudTrail Event Logs
    To support scenarios where you do not store AWS CloudTrail event logs within the same S3 bucket that you are onboarding to Prisma Cloud for Data Security scanning, you now can specify a central or shared S3 bucket that stores your AWS CloudTrail event logs.
    Support for Event Attribution on Google Cloud Platform
    For GCP resources that are being monitored on Prisma Cloud, you can now view events related to the resource (audit trail) on the Resource Explorer. This capability is available for AWS and Azure.
    API Ingestion
    AWS WAF
    aws-waf-classic-web-acl-resource
    Additional permissions required:
    waf-regional:GetLoggingConfiguration
    aws-waf-v2-web-acl-resource
    Additional permissions required:
    wafv2:GetLoggingConfiguration
    Google Binary Authorization
    gcloud-binary-authorization-policy
    Additional permissions required:
    binaryauthorization.policy.get
    binaryauthorization.policy.getIamPolicy
    The permissions are included in the Project Viewer role.
    Update
    Prisma Cloud CLI
    The Prisma Cloud CLI is no longer supported.

    New Policies and Policy Updates

    POLICY UPDATES
    DESCRIPTION
    New Policies
    AWS Elastic IP not in use
    —Identifies unused Elastic IP (EIP) addresses in your AWS account.
    Any EIP in your AWS account adds charges to your monthly bill even if it is not associated with any resources. It is recommended to remove EIPs that are not associated with any resources.
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-elastic-address' AND json.rule = associationId does not exist
    AWS SNS topic not configured with secure data transport policy
    —Identifies AWS SNS topics that are not configured with a secure data transport policy.
    AWS SNS topics should enforce encryption of data in transit using Secure Sockets Layer (SSL). It is recommended to add an SNS policy that explicitly denies publish access from anybody who browses to Amazon SNS topics if they are not accessed through HTTPS.
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any((Principal.AWS equals * or Principal equals *) and Condition.Bool.aws:SecureTransport does not exist and Action contains Publish)] exists or Policy.Statement[?any((Effect equals Allow and Action contains Publish and (Principal.AWS equals * or Principal equals *) and (Condition.Bool.aws:SecureTransport contains false or Condition.Bool.aws:SecureTransport contains FALSE)) or (Effect equals Deny and Action contains Publish and (Principal.AWS equals * or Principal equals *) and (Condition.Bool.aws:SecureTransport contains true or Condition.Bool.aws:SecureTransport contains TRUE)))] exists
    AWS SNS topic with cross-account access
    —Identifies AWS SNS topics that are configured with cross-account access.
    Allowing unknown cross-account access to your SNS topics will enable other accounts to gain control over your AWS SNS topics. To prevent unknown cross-account access, allow only trusted entities to access your Amazon SNS topics by implementing the appropriate SNS policies.
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS does not equal * and Principal does not equal * and Principal.AWS contains arn))] exists
    Azure Storage account containing VHD OS disk is not encrypted with CMK
    —Checks for Azure Storage accounts containing VHD OS disk that are not encrypted with CMK.
    This policy is mapped to CIS Azure 1.3.0 section 7.7 compliance standard. It is recommended to use Customer Managed Keys to encrypt data in Azure Storage accounts for better data control.
    Impact
    —Alerts generated for all Azure Storage accounts which have VHD OS disk and are not encrypted with CMK.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.storageProfile'].osDisk.vhd.uri exists and powerState contains running as X; config from cloud.resource where api.name = 'azure-storage-account-list' AND json.rule = properties.encryption.keySource equals "Microsoft.Storage" as Y; filter "$.['X'].['properties.storageProfile'].['osDisk'].['vhd'].['uri'] contains $.Y.name"; show Y;
    Azure Activity log alert for Delete policy assignment does not exist
    —Checks for Azure accounts in which activity log alert for Delete policy assignment does not exist.
    This policy is mapped to CIS Azure 1.3.0 section 5.2.2 compliance standard.
    Impact
    —Alerts generated for all Azure accounts where activity log alert for Delete policy assignment does not exist.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.scopes[*] does not contain resourceGroups and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Authorization/policyAssignments/delete" as X; count(X) less than 1
    Azure Monitor Diagnostic Setting does not captures appropriate categories
    —Checks for Azure accounts in which Monitor Diagnostic Setting does not captures appropriate categories.
    This policy is mapped to CIS Azure 1.3.0 section 5.1.2 compliance standard.
    Impact
    —Alerts generated for all Azure accounts where Monitor Diagnostic Setting does not captures appropriate categories.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = properties.logs[?any((enabled is true and category equals Administrative))] exists and properties.logs[?any((enabled is true and category equals Alert))] exists and properties.logs[?any((enabled is true and category equals Policy))] exists and properties.logs[?any((enabled is true and category equals Security))] exists as X; count(X) less than 1
    OCI users Auth Tokens aged more than 90 days
    —Identifies user authentication tokens on the OCI platform that have not been rotated in more than 90 days.
    As a best practice, rotate the authentication tokens on a regular basis to protect access directly, via SDKs, or OCI CLI.
     config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-iam-user' AND json.rule = 'authTokens[?any(lifecycleState equals ACTIVE and (_DateTime.ageInDays(timeCreated) > 90))] exists'
    OCI users customer secret keys have aged more than 90 days without being rotated
    —Identifies customer secret keys on the OCI platform that have not been rotated in more than 90 days.
    As a best practice, rotate customer secret keys on a regular basis to protect access directly, via SDKs, or OCI CLI.
    config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-iam-user' AND json.rule = 'customerSecretKeys[?any(lifecycleState equals ACTIVE and (_DateTime.ageInDays(timeCreated) > 90))] exists'
    Policy Updates—RQL and Metadata
    AWS Customer Master Key (CMK) rotation is not enabled
     to exclude inactive keys
    The RQL has been updated with an additional key state check to improve the accuracy of alerts. The description and recommendation have also been updated to maintain a consistent format across all policies.
    Impact
    —The previous alerts generated for disabled KMS keys will be resolved as Policy_Updated.
    Add extra status check for
    AWS EC2 instances with Public IP and associated with Security Groups have Internet Access
    The RQL has been updated with an extra state check to improve the accuracy of alerts, and the RQL has been optimized using the new nested array grammar.
    Impact
    —The previous alerts raised for non-running EC2 instances will be resolved as Policy_Updated.
    AWS SQS server side encryption not enabled
    The policy description has been updated to maintain a consistent format across all policies and the recommendation has been updated as per recent AWS UI changes.
    Impact
    —None.
    AWS CloudFormation stack configured without SNS topic
    The recommendation has been updated as per recent AWS UI changes.
    Impact
    —None.
    GCP SQL database instance is not configured with automated backups
    The policy is now modified to exclude ON_PREMISES_INSTANCE and READ_REPLICA_INSTANCE of SQL instances.
    Impact
    —The RQL modification resolves the false positives for ON_PREMISES_INSTANCE and READ_REPLICA_INSTANCE as Policy_Updated. There will be a decrease in the number of alerts generated.
    AWS IAM Groups with Administrator Access Permissions
     extra whitespace
    The extra space at the end of the 'AWS IAM Groups with Administrator Access Permissions' policy is removed.
    Impact
    —None.
    GCP VM instances have block project-wide SSH keys feature disabled
    Remediation CLI is added for this policy.
    Additional permissions required: 
    compute.instances.setMetadata
    Impact
    —None.
    Two anomaly.type attributes renamed
    The names have been changed for the following two 
    anomaly.type
    event query attributes:
    • From 
      Bruteforce Login
      to 
      Excessive Login Failures
    • From 
      Unusual compute resource provisioning anomaly
      to 
      Anomalous Compute Provisioning
    Impact
    —None.
    Updated Audit Logs information for Anomaly Settings changes
    The information displayed in the UI is updated for the following audit logs generated by anomaly settings changes:
    • Name
      —Changed from
      enterprise_settings
       to the name of the policy for which the settings were changed
    • Resource
      —Changed from
      Anomalies Settings
       to
      Anomaly Settings
    • Operation
      —Changed from policy ID to policy name
    • Alert Disposition for UEBA Policies
      —Changed from an internal threshold score to
      conservative/moderate/aggressive
       string
    Impact
    —None.
    Old log information
    New log information
    Update RQL for VM instance policies
    The RQL is modified for the following policies:
    • GCP VM instances have block project-wide SSH keys feature disabled
    • GCP VM instances with excessive service account permissions
    • GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK)
    • GCP VM instances have IP Forwarding enabled
    • VM Instances enabled with Pre-Emptible termination
    • GCP VM instance using a default service account with full access to all Cloud APIs
    • GCP VM instance with the external IP address
    • VM instances without metadata, zone or label information
    • GCP VM instance configured with default service account
    • VM Instances without any Custom metadata information
    • GCP VM instances have serial port access enabled
    • GCP VM instance with Shielded VM features disabled
    • VM Instances without any Label information
      The names are modified for the following policies:
      • VM Instances enabled with Pre-Emptible termination
      • VM instances without metadata, zone or label information
      • VM Instances without any Label information
      • VM Instances without any custom metadata information
        The policies have the following changes:
        • The GCP VM policies with high alerts had their RQL modified to check the status of the VM instances. The RQL has been modified to alert instances with the status of
          Running
          .
        • The GKE label
          goog-gke-node
           had its check removed from policies as a customer request to resolve inconsistencies associated with GKE instances.
        • The RQL grammar for
          VM Instances without any Custom metadata information
           has been updated.
      • Impact
        —A high number of alerts will be resolved as Policy_Updated.
      The names are modified for the following policies:
      • VM Instances enabled with Pre-Emptible termination
      • VM instances without metadata, zone or label information
      • VM Instances without any Label information
      • VM Instances without any custom metadata information
        The policies have the following changes:
        • The GCP VM policies with high alerts had their RQL modified to check the status of the VM instances. The RQL has been modified to alert instances with the status of
          Running
          .
        • The GKE label
          goog-gke-node
           had its check removed from policies as a customer request to resolve inconsistencies associated with GKE instances.
        • The RQL grammar for
          VM Instances without any Custom metadata information
           has been updated.
      • Impact
        —A high number of alerts will be resolved as Policy_Updated.

    REST API Updates

    CHANGE
    DESCRIPTION
    New location for the Prisma Cloud API Reference
    The Prisma Cloud API Reference is available at a new URL: https://prisma.pan.dev/api/cloud/cspm/cspm-api. If you’ve save the old URL as a Favorite or Bookmark, please update it.
    Enterprise Settings APIs
    The response object for the following endpoint includes a new attribute,
    alarmEnabled
    :
    • GET /settings/enterprise

    New Features

    FEATURE
    DESCRIPTION
    Anomaly Settings Updates
    When you modify the alert disposition or training model thresholds for Anomaly policies, an audit log is generated to record who made the configuration change and when, to help you track and monitor changes.
    For User & Entity Behavior Analytics (UEBA) policies, when you modify the alert disposition or training model thresholds, the updated settings are applicable for new alerts. Existing alerts generated using the previous setting remain as-is, and are not marked as
    Resolved
    .
    With this change, UEBA and Network Anomaly policies are consistent in how anomaly settings changes are processed on Prisma Cloud.
    Integration with Azure Sentinel
    You can now forward Prisma Cloud alerts to Azure Sentinel using HTTP-triggered Logic App workflow and Webhook integration.
    Centralized Scan Settings for Data Security
    To help you gauge the volume of data in an S3 bucket and how you have opted to enable scanning, use the updated
    Settings
    Data
    Scan Settings
     page.
    The page enables you to select the S3 buckets for the onboarded cloud accounts and modify the scan settings to perform Forward & Backward or Forward-scan only. When enabling the scan, you can also review an estimate of the Prisma Cloud credits that will be used for the selected S3 buckets.
    You must use the updated AWS CFT to onboard a cloud account to view bucket size estimates. For already onboarded cloud accounts, the bucket size estimation will not be available.
    The new table view displays an estimate of the total data in the S3 bucket, and the volume of data eligible for sensitive data scanning, malware scanning, or both based on the supported file types and file size.
    Alerts 2.0
    Prisma Cloud is rolling out a new alert subsystem. To help you identify if you are on version 2.0, on the
    Alerts
    Overview
     page, check whether the
    Version: 2
     label displays on the top right above the
    Search
     box.
    With version 2.0, the following changes will take effect:
    • Depending on volume of alerts, the time to update the status of an alert can vary when you update an alert rule. For example, if you remove a policy from an alert rule, all open alerts will transition to a resolved state and the time to reflect this change on the interface can depend on the number of corresponding alerts.
    • When you modify an alert rule, and the conditions that triggered the alert are no longer valid, the alert is updated as
      Resolved
      .
    • (
      New
      ) The
      Active Alert Rules
       name associated with an alert displays as
      N/A
       in the alert details view.
      This N/A state means that the match criteria changed because of the following reasons:
      • The alert rule that triggered the alert is disabled or deleted.
      • The cloud account is no longer included in the alert rule that triggered the alert.
      • The policy that triggered the alert is removed from the alert rule.
    • For alert rules with scheduled notifications, the notification is sent when an alert status changes from one state to anotheras tracked in the
      Alert Status Updated
       timestamp.
      This change will not impact those who have configured notifications for
      Open
       alerts only.
    Update
     OCI IAM
    The
    oci-iam-user
     API have been modified to ingest the
    ListCustomerSecretKeys
     and
    ListAuthTokens
     REST APIs.
    These additional APIs are ingested using the permissions in the USER_READ role.
    Update
     Permission in the AWS CFT
    The AWS CFTs that enable you add cloud accounts to Prisma Cloud now includes additional permissions to support the Inventory Configuration for S3 buckets. This inventory list file contains the objects and metadata for the objects in the S3 bucket.
    
	{
            "PolicyName": "PrismaCloud-Storage-Inventory-ConfigUpdate",
            "PolicyDocument": {
              "Version": "2012-10-17",
          "Statement": [
                {
                  "Sid": "RequiredForS3InventoryConfiguration",
                  "Action": "s3:PutInventoryConfiguration",
                  "Effect": "Allow",
                  "Resource": "*"
                }
              ]
            }
          }

    New Policies and Policy Updates

    POLICY UPDATES
    DESCRIPTION
    New Policies
    AWS ECS cluster not configured with active services
    Identifies ECS clusters that are not configured with active services. ECS service enables you to run and maintain a specified number of instances of a task definition simultaneously in an Amazon ECS cluster. It is recommended to remove Idle ECS clusters to reduce the container attack surface or create new services for the reported ECS cluster.
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ecs-cluster' AND json.rule = status equals ACTIVE and activeServicesCount equals 0
    AWS ECS cluster not configured with a registered instance
    Identifies ECS clusters that are not configured with a registered instance. The ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent, and has been registered into an Amazon ECS cluster. It is recommended to remove idle ECS clusters to reduce the container attack surface or to register a new instance for the reported ECS cluster.
    config from cloud.resource where api.name = 'aws-ecs-service' AND json.rule = launchType equals EC2 as X; config from cloud.resource where api.name = 'aws-ecs-cluster' AND json.rule = status equals ACTIVE and registeredContainerInstancesCount equals 0 as Y; filter '$.X.clusterArn equals $.Y.clusterArn'; show Y;
    AWS Amazon Machine Image (AMI) infected with mining malware
    Identifies Amazon Machine Images (AMIs) that are infected with mining malware. Research showed that an AMI Windows 2008 was hosted by an unverified vendor and contained malicious code running an unidentified crypto miner (Monero). It is recommended to delete such AMIs to protect from malicious activity and attacks.
    config from cloud.resource where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule = image.platform contains windows and image.imageId contains ami-1e542176
    AWS SNS topic is exposed to unauthorized access
    Identifies AWS SNS topics that are exposed to unauthorized access. Amazon Simple Notification Service (Amazon SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients. To protect these messages from attackers and unauthorized access, permissions should be given to only authorized users.
    

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and Condition does not exist)] exists
    Azure Security Center Defender set to Off for Container Registries
    Checks Azure Security Center and determines if the Defender setting for Container Registries is set to
    Off
    . This could impact alerts being generated for all Azure Security Center where the Defender setting is Off for Container Registries. This policy is mapped to CIS Azure 1.3.0 section 2.7 compliance standard.
    
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals ContainerRegistry and properties.pricingTier does not equal Standard)] exists
    Azure Security Center Defender set to Off for SQL servers on machines
    Checks Azure Security Center and determines if the Defender setting for SQL servers on machines is set to
    Off
    . This could impact alerts being generated for all Azure Security Center where the Defender setting on machines is set to
    Off
     for SQL servers. This policy is mapped to CIS Azure 1.3.0 section 2.4 compliance standard.
    
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals SqlServerVirtualMachines and properties.pricingTier does not equal Standard)] exists
    Anomalous Compute Provisioning Activity
    The new Anomaly policy detects unusual activity related to the provisioning of compute resources such as high number of instances being brought up, the provisioning activity originating from TOR nodes or from multiple distant locations in a short duration of time. This behavior typically indicates the creation of an unauthorized network of compute instances for cryptojacking.
    Policy Updates
    AWS IAM policy allows assume role permission across all services
    The RQL is updated to exclude unattached policies from reporting and is modified as follows:
    config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and Action contains sts:AssumeRole and Resource equals * and Condition does not exist)] exists
    Impact
    —Existing alerts generated for unattached policies will be resolved as Policy_Updated.
    Azure Load Balancer diagnostics logs are disabled
    The policy recommendation has been updated because the steps for Azure Load Balancer with Basic SKU was missing.
    Impact
    —No impact on existing alerts.
    GCP Projects have OS Login Disabled
    The policy RQL is modified as follows:
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-project-info' AND json.rule = 'commonInstanceMetadata.items[*].key does not contain enable-oslogin or (commonInstanceMetadata.items[?any(key contains enable-oslogin and (value contains false or value contains FALSE))] exists)'
    Impact
    —This updates the accuracy of alerts and reduces the number of alerts that are generated.
    GCP Firewall rules allow inbound traffic from anywhere with no target tags set
    The policy RQL is modified to escape
    Deny
     rules because the policy was giving false positives due to the policy RQL not being set to check if the GCP is an
    Allow
     or a
    Deny
     rule.
    The policy RQL is modified as follows:
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'direction equals "INGRESS" and allowed[*] exists and sourceRanges[*] contains 0.0.0.0/0 and targetTags[*] does not exist and targetServiceAccounts[*] does not exist'
    Impact
    —The update is going to resolve false positive alerts and therefore reduce the number of alerts being generated.

    REST API Updates

    CHANGE
    DESCRIPTION
    New Data Security APIs
    The following new Data Security APIs are available:
    • GET /dlp/api/v1/object-inventory/resource
      Lists AWS S3 bucket resources and corresponding amounts of data eligible for sensitive data scans, malware scans, or both, based on supported file types and file sizes.
    • PUT /dlp/api/config/v2/resource
      Updates the data security settings scan configuration for specific resources.
    Account Group API update
    A successful
    POST /cloud/group
     request to create an account group now returns the created account group.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo