Features Introduced in November 2021
Learn what’s new on Prisma™ Cloud in November 2021.
New Features Introduced in 21.11.1
New Features
FEATURE | DESCRIPTION |
|---|---|
IAM Security Supports IAM Azure | IAM Security on Prisma Cloud now
supports enhanced capabilities to calculate effective permissions, detect
overly permissive access, and suggest corrections to reach least
privilege entitlements in your Azure environments. It includes out-of-the-box
policies that govern IAM best practices to help you identify risky
permissions and get to the ideal set of privileges for your deployment
in Azure.  |
IAM Security Integrates with Azure Active
Directory | IAM Security now integrates with Azure Active
Directory, and calculates effective permissions and over
permissive access for Azure Active Directory (AD); whether it is
used within Azure or as a SSO for AWS accounts. This gives
you visibility into your Azure AD identities and their permissions
across your AWS and Azure accounts. |
_IPAddress.areAnyOutsideCIDRRange() RQL Function | A new RQL function allows you to write config RQL queries that check if any IP/CIDR blocks are outside of a given list of permitted CIDR blocks. You can use this function to check if any resources have exposure to IP addresses outside of the RFC 1918 private CIDR blocks. The
first argument is a JSON expression that evaluates against one or
more IP or CIDR addresses. The second and subsequent arguments list
the IP/CIDR addresses and/or ranges to test against. IPV4 and IPV6
address formats are accepted. If the address is not a valid IP or
CIDR it’s not considered to be a match, which means while checking
a valid IP against an invalid range that IP is considered outside
of the specified range. Example:
|
Limited GA Automatically Dismiss
Alerts | You can now automatically dismiss alerts that
have specific tags as defined on the resource and added to the Resource
List on Prisma Cloud. This enhancement enables you to add a Reason , Requestor ,
and Approver for the automatic dismissal.
The details of the reason for dismissal is included in the alert
rule L2 view.With Auto Dismissal ,
when you update an alert rule, all existing alerts with matching
tags are auto dismissed. When an alert has been dismissed and you
update the alert rule, the alert will continue to stay dismissed. |
API Ingestions | Amazon Elastic Load Balancing aws-elbv2-target-health No
additional permissions required. |
AWS S3 getBucketReplicationConfiguration Additional
permissions required:
| |
AWS Systems Manager aws-ssm-document Additional
permissions required:
| |
AWS Shield aws-shield-advanced-status Additional
permissions required:
| |
Azure Service Bus azure-service-bus-topic-subscription Additional
permissions required:
The
Reader role includes these permissions. | |
Azure Service Bus azure-service-bus-topic Additional
permissions required:
The
Reader role includes these permissions. | |
Azure Service Bus azure-service-bus-queue Additional
permissions required:
The
Reader role includes these permissions. | |
Google Firebase Rules gcloud-firebaserules-ruleset Additional
permissions required:
| |
Google Cloud Composer gcloud-composer-environment Additional
permissions required:
|
Changes in Existing Behavior
FEATURE | CHANGE |
|---|---|
Update AWS Snapshot API Ingestion
of Public AMIs | Prisma Cloud now supports AWS Snapshot API
ingestion of additional public AMIs. This is used by the auto-defend feature
in Compute to get the image platform information that is used to
check if the image is Windows-or-Linux based, depending on which
the specific type of Defender for the image is deployed. The
default time interval for the ingestion of public AMIs is 24 hours. If
you have a custom policy with RQL that checks for the JSON metadata image.public=true ,
it now displays results for all the AMIs that are public. Old
Behavior —The following RQL displays results for all AMIs that
are public and shared with the account:
New
Behavior —The same RQL now displays all images that are public,
both shared with the account and those that are not shared with
the account. To retain the behavior prior to the change, you must
modify the custom policies to add an additional condition of image.shared=false along
with image.public=true
|
Update AWS SSM Document API | AWS Systems Manager aws-ssm-document The aws-ssm-document API
that Prisma Cloud currently ingests is updated to fetch more resource
metadata on the AWS Systems Manager service. The permissions required are:
Impact —The isShared attribute
in the API is replaced with accountSharingInfoList .
As a best practice, update any custom policies that use isShared and replace
it with the new accountSharingInfoList attribute:
|
Updates API Ingestions | Azure Active Directory The azure-active-directory-group-members API
along with any default policies on the API are deprecated.The
same ingestion capabilities are provided by the new azure-active-directory-iam-group API.Old —
New —
|
Deprecated Permission Removed
from GCP API The cloudfunctions.locations.list permission
is not mandatory for the gcloud-cloud-function API. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
|---|---|
Azure Security Benchmark (ASB) v2 | New compliance support for Azure Security
Benchmark (ASB) v2. |
CIS Azure v1.3.1 | New compliance support for CIS Microsoft
Azure Foundations Benchmark v1.3.1. |
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
|---|---|
New Policies | GCP Cloud Run service with overly
permissive ingress rule Identifies GCP Cloud Run
services configured with overly permissive ingress rules. It is
recommended to restrict the traffic from public and other resources
by allowing traffic to enter through load balancers or internal
traffic for better network-based access control.
|
GCP Cloud Function HTTP trigger
is not secured Identifies GCP Cloud Functions
for which the HTTP trigger is not secured. When you configure HTTP
functions to be triggered only with HTTPS, user requests are redirected
to use the HTTPS protocol, which is more secure. It is recommended
to set the 'Require HTTPS' for configuring HTTP triggers while deploying
your GCP Cloud Function.
| |
GCP Cloud Function configured
with overly permissive Ingress setting Identifies
GCP Cloud functions configured with overly permissive ingress setting.
It is recommended to restrict the traffic from public and other
resources by allowing traffic to enter from VPC networks in the
same project or through cloud load balancers for better network-based
access control.
| |
Policy Updates—Metadata | AWS access keys not used for
more than 90 days Changes —The policy recommendation
has been updated. Impact —This change does not impact
existing alerts. |
Policy Updates—RQL | AWS Amazon Machine Image (AMI) is
publicly accessible The update for the api— aws-ec2-describe-images —ingests
resources that are not owned by the AWS account which causes excess
alerts. The RQL has been updated to generate alerts only for customer
owned AMI images that are public. The description and recommendation
steps have also been updated.Current —
Updated
to —
Impact —This
change does not impact existing alerts. |
AWS resources that are publicly
accessible through IAM policies The RQL for this
policy now includes an additional attribute— cloud.policy.conditions .Current —
Updated
to —
Impact —The
accuracy of alerts are improved. |
REST API Updates
CHANGE | DESCRIPTION |
|---|---|
Prisma Cloud CSPM REST API Schema Properties
for AWS Cloud Accounts | The following CSPM API schema properties
have been removed:
AwsCloudAccountModel is
the response schema for the following API request:
|
