Features Introduced in October 2021

Learn what’s new on Prisma™ Cloud in October 2021.

New Features Introduced in 21.10.2

New Features

FEATURE
DESCRIPTION
Enhancements to Asset Inventory
The Asset Inventory has been updated with a new look-and-feel and performance improvements for faster navigation. Additionally, you have a new filter for Service Name within
Assets by Classification
that you can use to visualize the top ten services you have adopted across the cloud accounts onboarded on Prisma Cloud.
The roll out for the asset inventory enhancements is gradual, and it is phased for each Prisma Cloud region. You will see the changes described, when it becomes available on your tenant. If you want to see these changes on your tenant sooner, reach out to your Customer Success or account team for enabling it.
Support for new regions on OCI
Prisma Cloud now ingests data for resources deployed in the Dubai, Cardiff, Santiago, and Vinhendo cloud regions on OCI.
Support for Google CSCC and PagerDuty as Notification Channels for Alarm Center
In addition to Email, Splunk, and Webhook, you can now also configure Google Cloud Security Command Center (CSCC) and PagerDuty as channels to receive notifications when alarms are generated on Prisma Cloud. By setting up to receive notifications on these channels, you do not need to log in to Prisma Cloud console at all times in order to know when an error or issue occurs.
Filter Alerts by Policy Subtype
You now have the option to filter alerts by policy subtype on
Alerts Overview
.
Cloud Account Onboarding Templates—Permission Updates
To automatically deploy Defenders for unsecured workloads, additional permissions are added to the
Monitor
and
Monitor and Protect
mode onboarding templates on Prisma Cloud. Review the complete list of the feature-wise permissions that will enable you to adopt the Compute capabilities more easily.
In Monitor & Protect mode, Prisma Cloud has the access required to enable agentless workload scanning (to be supported in an upcoming release), deploy Compute Defenders and optionally remediate resource configuration issues to ensure continuous compliance in your AWS, GCP, and Azure accounts.
For AWS GovCloud, the FedRamp templates do not include these additional permissions.
API Ingestions
Amazon S3
aws-s3-batch-operation
The permissions required are:
  • s3:DescribeJob
  • s3:ListJobs
  • s3:GetJobTagging
These permissions are included in the Reader role.
Azure Active Directory
azure-active-directory-iam-group
The permissions required are:
  • Group.Read.All
  • GroupMember.Read.All
Azure Service Bus
azure-service-bus-namespace
The permissions required are:
  • Microsoft.ServiceBus/namespaces/read
  • Microsoft.ServiceBus/namespaces/authorizationRules/read
  • Microsoft.ServiceBus/namespaces/networkrulesets/read
  • Microsoft.Insights/DiagnosticSettings/Read
These permissions are included in the Reader role.
Azure Service Bus
azure-service-bus-namespace-private-endpoint-connection
The permissions required are:
Microsoft.ServiceBus/namespaces/privateEndpointConnections/read
These permissions are included in the Reader role.
Azure Container Registry
azure-container-registry-repository
These permissions are included in the Reader role.
OCI Containers And Artifacts
oci-containers-artifacts-kubernetes-cluster
The permissions required are:
cluster_inspect

Changes in Existing Behavior

FEATURE
CHANGE
Onboarding AWS Accounts on Prisma Cloud
The default option when you add a new AWS Cloud account on Prisma Cloud is now
Monitor and Protect
mode instead of
Monitor
mode.
For the permission updates in the templates, see Cloud Account Onboarding Templates—Permission Updates. You can also download the templates from the S3 bucket URLsand review the permissions.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 21.11.1.
POLICY UPDATES
DESCRIPTION
New Policies
IAM Azure GA
—4 New OOTB policies
Here are the list of policies that have been added with the
IAM Azure GA
release of the IAM Security Module:
Azure entities with risky permissions
Identifies Azure IAM permissions that are risky. As a best practice, Azure entities provisioned in your Azure subscription shouldn’t have a risky set of permissions to minimize security risks.
config from iam where dest.cloud.type = 'AZURE' and action.name in ('Microsoft.AzureActiveDirectory/b2cDirectories/write','Microsoft.ManagedIdentity/userAssignedIdentities/write','Microsoft.ManagedIdentity/userAssignedIdentities/assign/action','Microsoft.KeyVault/vaults/read','Microsoft.KeyVault/vaults/write','Microsoft.KeyVault/vaults/deploy/action','Microsoft.KeyVault/vaults/accessPolicies/write','Microsoft.Authorization/roleDefinitions/write','Microsoft.Authorization/roleAssignments/write','Microsoft.Authorization/policySetDefinitions/write','Microsoft.Authorization/policyExemptions/write','Microsoft.Authorization/policyDefinitions/write','Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write','Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write','Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write','Microsoft.Authorization/policyAssignments/privateLinkAssociations/write','Microsoft.Authorization/policyAssignments/write','Microsoft.Authorization/locks/write','Microsoft.Authorization/denyAssignments/write','Microsoft.Authorization/classicAdministrators/write')
Azure IAM effective permissions are over-privileged (7 days)
Identifies Azure IAM permissions that are over-privileged. As a best practice, grant the least privilege access—for example—granting only the permissions required to perform a task, instead of providing excess permissions.
config from iam where dest.cloud.type = 'AZURE' and action.lastaccess.days > 7
Azure IAM effective permissions are over-privileged (90 days)
Identifies Azure IAM permissions that are over privileged. As a best practice, grant the least privilege access like granting only the permissions required to perform a task, instead of providing excess permissions.
config from iam where dest.cloud.type = 'AZURE' and action.lastaccess.days > 90
Azure effective permissions granting wildcard resource access
Identifies Azure IAM role definitions that contain
'*'
at the scope level. As a best practice, Azure role definitions should not have
'*'
at the scope level to prevent wildcard access to your resources.
config from iam where dest.cloud.type = 'AZURE' and dest.cloud.resource.name = '*'
AWS OpenSearch Fine-grained access control is disabled
Identifies AWS OpenSearch instances that have fine-grained access control disabled. This could impact alerts generated for all AWS OpenSearch instances with this option off.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-es-describe-elasticsearch-domain' AND json.rule = advancedSecurityOptions.enabled is false and advancedSecurityOptions.internalUserDatabaseEnabled is false
Policy Updates—Metadata
GCP Projects have OS Login disabled
The policy recommendation has been updated to allow
enable-oslogin
configuration at the instance-level instead of at the project-level.
Policy Updates—RQL
AWS RDS instance not in private subnet
The policy description, recommendation, and RQL has been updated. The RQL for this OOB policy previously used the
contains
operator when comparing two arrays; it has now been updated to include the
intersects
operator.
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-route-tables' as Y; filter "($.Y.associations[*].subnetId exists and $.X.dbsubnetGroup.subnets[*].subnetIdentifier contains $.Y.associations[*].subnetId) and ($.Y.routes[*].gatewayId exists and $.Y.routes[?(@.destinationCidrBlock == '0.0.0.0/0')].gatewayId contains igw)"; show X;
Updated to
config from cloud.resource where api.name = 'aws-rds-describe-db-instances' as X; config from cloud.resource where api.name = 'aws-ec2-describe-route-tables' AND json.rule = associations[*].subnetId exists and routes[?any( state equals active and gatewayId starts with igw- and (destinationCidrBlock equals "0.0.0.0/0" or destinationIpv6CidrBlock equals "::/0"))] exists as Y; filter '$.X.dbsubnetGroup.subnets[*].subnetIdentifier intersects $.Y.associations[*].subnetId'; show X;
Impact
—This change does not impact existing alerts.
GCP Firewall Rules
The RQLs for the following policies have been updated so that they do not generate alerts for firewall rules that are disabled:
GCP Firewall rule allows all traffic on SSH port (22)
Current
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
GCP Firewall rule allows all traffic on RDP port (3389)
Current
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
GCP Firewall rules allow inbound traffic from anywhere with no target tags set
Updated Policy Name—GCP Firewall rule allows inbound traffic from anywhere with no specific target set
Current
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'direction equals "INGRESS" and allowed[*] exists and sourceRanges[*] contains 0.0.0.0/0 and targetTags[*] does not exist and targetServiceAccounts[*] does not exist'
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[*] exists and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and targetTags[*] does not exist and targetServiceAccounts[*] does not exist'
Default Firewall rule should not have any rules (except http and https)
Updated Policy Name—GCP Default Firewall rule is overly permissive (except http and https)
Current
config from cloud.resource where api.name= 'gcloud-compute-firewall-rules-list' AND json.rule = ' ($.name equals default-allow-ssh or $.name equals default-allow-icmp or $.name equals default-allow-internal or $.name equals default-allow-rdp) and ($.deleted is false) and ($.sourceRanges[*] contains 0.0.0.0/0)'
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name= 'gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and (name equals default-allow-ssh or name equals default-allow-icmp or name equals default-allow-internal or name equals default-allow-rdp) and (deleted is false) and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0)'
Impact
—The number of alerts generated will be reduced.

REST API Updates

CHANGE
DESCRIPTION
New API Endpoints to Support Asynchronous RQL Config Queries
The following new API endpoints enable you to submit and download the results of jobs that process RQL config queries:
  • POST /search/config/jobs
    Submits a job to execute an RQL config query
  • GET /search/config/jobs/{id}/download
    Returns the results of an RQL config query, as a CSV

New Features

FEATURE
DESCRIPTION
Update
Support for Splunk and Webhook as Notification Channels for Alarm Center
In addition to Email, you can now configure Splunk and Webhook as channels where you can receive notifications when alarms are generated on Prisma Cloud. After setting up these channels, you do not need to be logged in to Prisma Cloud console at all times in order to know when an error or issue occurs
Update
Alarm Center View Permissions
In addition to Prisma Cloud System Admins, now Account Group Admins will have limited access to Alarm Center functionalities, such as logging in and viewing the notification details.
Support for AWS Organization Member Account Selection
If you use AWS Organizations to centrally govern and manage access to services and resources on AWS, you can now include or exclude member accounts and AWS organizational units (OUs) when you onboard an AWS Organization member account to Prisma Cloud.
Update
Permissions for Cloud Discovery in Compute for GCP onboarding
The Terraform templates for onboarding your GCP Projects and Organization with
Monitor and Protect
mode are updated to include the following permissions:
  • iam.serviceAccounts.signJwt
  • compute.zones.list
  • compute.instances.list
  • compute.projects.get
  • osconfig.patchJobs.exec
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list
  • storage.buckets.create
  • storage.buckets.delete
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • compute.disks.get
If you are using the cloud workload protection capabilities enabled through the
Compute
tab on Prisma Cloud (Enterprise), these permissions enable you to deploy Defenders on
Cloud Radar
for unsecured virtual machines (VMs).
New features for Compute
See Features Introduced in October 2021 for all new Compute capabilities on Prisma Cloud Enterprise Edition.
Prisma Cloud Service in India
Prisma Cloud tenant (app.ind.prismacloud.io) is now available for the India region.
API Ingestions
AWS CodeBuild
aws-code-build-project
The permissions required are:
  • codebuild:ListProjects
  • codebuild:BatchGetProjects
AWS Systems Manager
aws-ssm-inventory-instance-information
The permissions required are:
  • ssm:DescribeInstanceInformation
  • ssm:GetInventory
AWS Transfer Family
aws-transfer-family-access
The permissions required are:
  • transfer:ListAccesses
  • transfer:DescribeAccess
AWS Transfer Family
aws-transfer-family-server
The permissions required are:
  • transfer:DescribeServer
  • transfer:ListServers
Azure Storage
azure-storage-account-diagnostic-settings
The permissions required are:
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
These permissions are included in the Reader role.
Azure Virtual Network
azure-network-firewall-policy
The permissions required are:
  • Microsoft.Network/firewallPolicies/read
  • Microsoft.Network/firewallPolicies/ruleCollectionGroups/read
These permissions are included in theReader role.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 21.10.2.
POLICY UPDATES
DESCRIPTION
New Policy
Azure Container Instance not configured with the managed identity
Identifies Azure Container Instances (ACIs) that are not configured with managed identity, which is authenticated with Azure AD. It is recommended to configure managed identity on all your container instances.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-instances-container-group' AND json.rule = properties.provisioningState equals Succeeded and (identity.type does not exist or (identity.type exists and identity.type equal ignore case None))
Azure Container Instance environment variable with regular value type
Identifies ACIs in which the environment variables are of regular value type instead of secure value. Using secure values for environment variables is safer and more flexible than including them in your container's image. As a best practice, secure the environment variable by specifying the
secureValue
property instead of the regular
value
for the variable's type.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-instances-container-group' AND json.rule = properties.provisioningState equals Succeeded and properties.containers[*].properties.environmentVariables[*] exists and properties.containers[*].properties.environmentVariables[*].value exists
Azure Container Instance is not configured with virtual network
Identifies ACIs that are not configured with a virtual network. By deploying container instances into an Azure virtual network, your containers can communicate securely with other resources in the virtual network. As a best practice, configure all your container instances within a virtual network.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-instances-container-group' AND json.rule = properties.provisioningState equals Succeeded and properties.ipAddress.type exists and properties.ipAddress.type equals Public
Azure Cosmos DB allows traffic from public Azure datacenters
Identifies Cosmos DBs that allow traffic from public Azure data centers. If you enable this option, the IP address 0.0.0.0 is added to the list of allowed IP addresses. It is recommended not to select the
Accept connections from within public Azure datacenters
option for your Cosmos DB.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cosmos-db' AND json.rule = properties.provisioningState equals Succeeded and properties.ipRangeFilter is not empty and properties.ipRangeFilter contains 0.0.0.0
AWS EMR Block public access setting disabled
Checks for AWS EMR that are configured with block public access setting. This could impact alerts being generated for all AWS EMR with public access setting disabled.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-emr-public-access-block' AND json.rule = blockPublicAccessConfiguration.blockPublicSecurityGroupRules is false
AWS EMR cluster Master Security Group allows all traffic to port 8088
Checks for AWS EMR cluster that are configured with Master Security Group that allows all traffic to port 8088. This could impact alerts being generated for all AWS EMR cluster which has public access for port 8088.
config from cloud.resource where api.name = 'aws-emr-describe-cluster' AND json.rule = status.state does not contain TERMINATING as X; config from cloud.resource where api.name= 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[?any((ipRanges[] contains 0.0.0.0/0 or ipv6Ranges[].cidrIpv6 contains ::/0) and ((toPort == 8088 or fromPort == 8088) or (toPort > 8088 and fromPort < 8088)))] exists) as Y; filter '$.X.ec2InstanceAttributes.emrManagedMasterSecurityGroup equals $.Y.groupId or $.X.ec2InstanceAttributes.additionalMasterSecurityGroups[*] contains $.Y.groupId'; show X;
AWS ECS fargate task definition logging is disabled
Identifies ECS fargate task definitions for which logging is disabled. You can configure the containers in your tasks to send log information to CloudWatch logs to help you get information from running containers and services. If you are using the Fargate launch type for your tasks, this allows you to view the logs from your containers.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ecs-describe-task-definition' AND json.rule = status equals ACTIVE and containerDefinitions[?any(logConfiguration.logDriver does not exist or logConfiguration.logDriver contains false)] exists
Policy Updates—Metadata
Memcached default UDP port is publicly accessible
The policy RQL has been updated to check network flows with bytes greater than zero. The policy name and description have also been updated.
Impact
—No impact on existing alerts.
The policy RQL is modified as follows:
network from vpc.flow_record where protocol IN ( 'UDP' ) and dest.port = 11211 and bytes > 0 AND source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' , 'AWS IPs', 'Azure IPs', 'GCP IPs' )

REST API Updates

CHANGE
DESCRIPTION
Support for AWS Organization Member Account Selection
You can now specify AWS organizational units (OUs) when you use the CSPM API to onboard an AWS Organization to Prisma Cloud. You can also use the API to access or update onboarded OUs.
New API endpoints are also available to list either children or ancestors in the OU hierarchy. You can find these new endpoints under CSPM Cloud Accounts in the CSPM API reference.
New Request Parameter for Login Endpoint for Multi-Tenancy
The following API endpoint has a new, optional request body parameter
prismaId
for multi-tenant users:
New Alerts Filter Type
The response object for the following API endpoint includes a new filter
policy.subtype
:
New Query Parameter for Endpoint to List Integration Types
The following API endpoint has a new, optional query request parameter
internalOnly
, which restricts your integration type query to Tenable, Qualys, and Okta:

Recommended For You