Features Introduced in October 2021

Learn what’s new on Prisma™ Cloud in October 2021.

New Features

FEATURE
DESCRIPTION
Update
Support for Splunk and Webhook as Notification Channels for Alarm Center
In addition to Email, you can now configure Splunk and Webhook as channels to receive notifications when alarms are generated so you do not need access to the Prisma Cloud console at all times to know when an error or issue occurs.
Update
Alarm Center View Permissions
In addition to Prisma Cloud System Admins, now Account Group Admins will have limited access to Alarm Center functionalities, such as logging in and viewing the notification details.
Support for AWS Organization Member Account Selection
If you use AWS Organizations to centrally govern and manage access to services and resources on AWS, you can now include or exclude member accounts and AWS organizational units (OUs) when you onboard an AWS Organization member account to Prisma Cloud.
Update
Permissions for Cloud Discovery in Compute for GCP onboarding
The Terraform templates for onboarding your GCP Projects and Organization with
Monitor and Protect
mode are updated to include the following permissions:
  • iam.serviceAccounts.signJwt
  • compute.zones.list
  • compute.instances.list
  • compute.projects.get
  • osconfig.patchJobs.exec
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list
  • storage.buckets.create
  • storage.buckets.delete
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • compute.disks.get
If you are using the cloud workload protection capabilities enabled through the
Compute
tab on Prisma Cloud (Enterprise), these permissions enable you to deploy Defenders on
Cloud Radar
for unsecured virtual machines (VMs).
Prisma Cloud Service in India
Prisma Cloud tenant (app.ind.prismacloud.io) is now available for the India region.
API Ingestions
AWS CodeBuild
aws-code-build-project
The permissions required are:
  • codebuild:ListProjects
  • codebuild:BatchGetProjects
AWS Systems Manager
aws-ssm-inventory-instance-information
The permissions required are:
  • ssm:DescribeInstanceInformation
  • ssm:GetInventory
AWS Transfer Family
aws-transfer-family-access
The permissions required are:
  • transfer:ListAccesses
  • transfer:DescribeAccess
AWS Transfer Family
aws-transfer-family-server
The permissions required are:
  • transfer:DescribeServer
  • transfer:ListServers
Azure Storage
azure-storage-account-diagnostic-settings
The permissions required are:
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
These permissions are included in the Reader role.
Azure Virtual Network
azure-network-firewall-policy
The permissions required are:
  • Microsoft.Network/firewallPolicies/read
  • Microsoft.Network/firewallPolicies/ruleCollectionGroups/read
These permissions are included in theReader role.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 21.10.2.
POLICY UPDATES
DESCRIPTION
New Policy
Azure Container Instance not configured with the managed identity
Identifies Azure Container Instances (ACIs) that are not configured with managed identity, which is authenticated with Azure AD. It is recommended to configure managed identity on all your container instances.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-instances-container-group' AND json.rule = properties.provisioningState equals Succeeded and (identity.type does not exist or (identity.type exists and identity.type equal ignore case None))
Azure Container Instance environment variable with regular value type
Identifies ACIs in which the environment variables are of regular value type instead of secure value. Using secure values for environment variables is safer and more flexible than including them in your container's image. It is recommended to secure the environment variable by specifying the 'secureValue' property instead of the regular 'value' for the variable's type.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-instances-container-group' AND json.rule = properties.provisioningState equals Succeeded and properties.containers[*].properties.environmentVariables[*] exists and properties.containers[*].properties.environmentVariables[*].value exists
Azure Container Instance is not configured with virtual network
Identifies ACIs that are not configured with a virtual network. By deploying container instances into an Azure virtual network, your containers can communicate securely with other resources in the virtual network. It is recommended to configure all your container instances within a virtual network.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-instances-container-group' AND json.rule = properties.provisioningState equals Succeeded and properties.ipAddress.type exists and properties.ipAddress.type equals Public
Azure Cosmos DB allows traffic from public Azure datacenters
Identifies Cosmos DBs that allow traffic from public Azure datacenters. If you enable this option, the IP address 0.0.0.0 is added to the list of allowed IP addresses. It is recommended not to select the ‘Accept connections from within public Azure datacenters’ option for your Cosmos DB.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cosmos-db' AND json.rule = properties.provisioningState equals Succeeded and properties.ipRangeFilter is not empty and properties.ipRangeFilter contains 0.0.0.0
AWS EMR Block public access setting disabled
Checks for AWS EMR that are configured with block public access setting. This could impact alerts being generated for all AWS EMR with public access setting disabled.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-emr-public-access-block' AND json.rule = blockPublicAccessConfiguration.blockPublicSecurityGroupRules is false
AWS EMR cluster Master Security Group allows all traffic to port 8088
Checks for AWS EMR cluster that are configured with Master Security Group that allows all traffic to port 8088. This could impact alerts being generated for all AWS EMR cluster which has public access for port 8088.
config from cloud.resource where api.name = 'aws-emr-describe-cluster' AND json.rule = status.state does not contain TERMINATING as X; config from cloud.resource where api.name= 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[?any((ipRanges[] contains 0.0.0.0/0 or ipv6Ranges[].cidrIpv6 contains ::/0) and ((toPort == 8088 or fromPort == 8088) or (toPort > 8088 and fromPort < 8088)))] exists) as Y; filter '$.X.ec2InstanceAttributes.emrManagedMasterSecurityGroup equals $.Y.groupId or $.X.ec2InstanceAttributes.additionalMasterSecurityGroups[*] contains $.Y.groupId'; show X;
AWS ECS fargate task definition logging is disabled
Identifies ECS fargate task definitions for which logging is disabled. You can configure the containers in your tasks to send log information to CloudWatch logs to help you get information from running containers and services. If you are using the Fargate launch type for your tasks, this allows you to view the logs from your containers.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ecs-describe-task-definition' AND json.rule = status equals ACTIVE and containerDefinitions[?any(logConfiguration.logDriver does not exist or logConfiguration.logDriver contains false)] exists
Policy Updates—Metadata
Memcached default UDP port is publicly accessible
The policy RQL has been updated to check network flows with bytes greater than zero. The policy name and description have also been updated.
Impact
—No impact on existing alerts.
The policy RQL is modified as follows:
network from vpc.flow_record where protocol IN ( 'UDP' ) and dest.port = 11211 and bytes > 0 AND source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' , 'AWS IPs', 'Azure IPs', 'GCP IPs' )

REST API Updates

CHANGE
DESCRIPTION
Support for AWS Organization Member Account Selection
You can now specify AWS organizational units (OUs) when you use the CSPM API to onboard an AWS Organization to Prisma Cloud. You can also use the API to access or update onboarded OUs.
New API endpoints are also available to list either children or ancestors in the OU hierarchy. You can find these new endpoints under CSPM Cloud Accounts in the CSPM API reference.
New Request Parameter for Login Endpoint for Multi-Tenancy
The following API endpoint has a new, optional request body parameter
prismaId
for multi-tenant users:
New Alerts Filter Type
The response object for the following API endpoint includes a new filter
policy.subtype
:
New Query Parameter for Endpoint to List Integration Types
The following API endpoint has a new, optional query request parameter
internalOnly
, which restricts your integration type query to Tenable, Qualys, and Okta:

Recommended For You