Features Introduced in September 2021

Learn what’s new on Prisma™ Cloud in September 2021.

New Features Introduced in 21.9.2

New Features

FEATURE
DESCRIPTION
Increase in Limit for Roles Assigned
The maximum number of roles that you can assign to a Prisma Cloud administrator is updated to fifty.
Support for AWS S3 Flow Logs
You can now configure AWS S3 to enable monitoring of VPC flow logs data published to S3 buckets in a logging account. When you onboard or edit your AWS cloud account, use
Advanced Settings
to configure the logging account and select the buckets to fetch S3 flow logs.
API Ingestions
Amazon Virtual Private Cloud (VPC)
aws-ec2-vpc-endpoint-service-configuration
The following permission is required:
ec2:DescribeVpcEndpointServiceConfigurations
Amazon SageMaker
aws-sagemaker-training-job
The following permissions are required:
  • sagemaker:DescribeTrainingJob
  • sagemaker:ListTrainingJobs
  • sagemaker:ListTags
Amazon SageMaker
aws-sagemaker-user-profile
The following permissions are required:
  • sagemaker:ListUserProfiles
  • sagemaker:DescribeUserProfile
  • sagemaker:ListTags
Amazon SageMaker
aws-sagemaker-endpoint-config
The following permissions are required:
  • sagemaker:ListEndpointConfigs
  • sagemaker:DescribeEndpointConfig
  • sagemaker:ListTags
Amazon SageMaker
aws-sagemaker-domain
The following permissions are required:
  • sagemaker:ListDomains
  • sagemaker:DescribeDomain
  • sagemaker:ListTags
Amazon API Gateway
aws-api-gateway-authorizer
The following permission is required:
apigateway:GET
Amazon EC2
aws-ec2-describe-images
The permissions are included in the Reader role.
Azure Database Migration Projects
azure-database-migration-project
The permissions are included in the Reader role.
Azure Container Instances
azure-container-instances-container-group
The following permission is required:
Microsoft.ContainerInstance/containerGroups/read
Azure Web Application Firewall
azure-frontdoor-waf-policy
The following permission is required:
Microsoft.Network/frontDoorWebApplicationFirewallPolicies/read
OCI Networking
oci-networking-loadbalancer
Permission required
:
Allow group <GroupName> to inspect load-balancers in tenancy
This API does not ingest Network Loadbalancers. Permissions should be added manually or automatically via Terraform.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 21.10.1.
POLICY UPDATES
DESCRIPTION
New Policy
AWS ElastiCache Redis with in-transit encryption disabled (Non-replication group)
Identifies ElastiCache Redis that are in non-replication groups or individual ElastiCache Redis and have in-transit encryption disabled.
Enabling data encryption in-transit helps prevent unauthorized users from reading sensitive data between your Redis and their associated cache storage systems.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elasticache-cache-clusters' AND json.rule = transitEncryptionEnabled is false and replicationGroupId does not exist
Policy Updates—RQL
AWS IAM policy allows assume role permission across all services
Update
—The RQL has been updated to exclude AWS-managed policies.
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and Action contains sts:AssumeRole and Resource anyStartWith * and Condition does not exist)] exists and policyArn does not contain iam::aws
Impact
—Previously generated alerts will be resolved as Policy_Updated.
AWS CloudTrail is not enabled in all regions
Update
—The RQL has been updated based on the changes in the CIS guideline. The policy name, description, and recommendation have also been updated.
Updated Policy Name
AWS CloudTrail is not enabled with multi trail and not capturing all management events
The policy RQL is modified as follows:
config from cloud.resource where api.name= 'aws-cloudtrail-describe-trails' AND json.rule = 'isMultiRegionTrail is true and includeGlobalServiceEvents is true' as X; config from cloud.resource where api.name= 'aws-cloudtrail-get-trail-status' AND json.rule = 'status.isLogging equals true' as Y; config from cloud.resource where api.name= 'aws-cloudtrail-get-event-selectors' AND json.rule = 'eventSelectors[*].readWriteType contains All' as Z; filter '($.X.trailARN equals $.Z.trailARN) and ($.X.name equals $.Y.trail)'; show X; count(X) less than 1
Impact
—Previously generated alerts will be resolved as Policy_Updated and new alerts will get generated based on the configuration.
AWS ECR repository is exposed to public
Update
—The policy name, description, RQL, and recommendation has been changed to match policy as overly permissive instead of exposed to public.
Updated Policy Name
AWS ECR repository policy is overly permissive
The policy RQL is modified as follows:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ecr-get-repository-policy' AND json.rule = policy.Statement[?any((Principal equals * or Principal.AWS contains *) and Effect equals Allow and Condition does not exist)] exists
Impact
—No impact on existing alerts.
AWS S3 bucket accessible to unmonitored cloud accounts
Update
—The policy recommendation steps have been updated based on the AWS UI changes.
Impact
—No impact on existing alerts.
AWS ElastiCache Redis cluster with in-transit encryption disabled
Update
—The policy name and description have been updated to notify that policy is for the replication group.
Impact
—No impact on existing alerts.
Azure Virtual Network subnet is not configured with a Network Security Group
Updates
—The RQL has been updated to check if the subnet is used by any private endpoint, and the policy description has been updated accordingly.
The policy RQL is modified as follows:
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-subnet-list' AND json.rule = networkSecurityGroupId does not exist and name is not member of ("GatewaySubnet", "AzureFirewallSubnet") and ['properties.delegations'][*].['properties.serviceName'] does not equal "Microsoft.Netapp/volumes" and ['properties.privateEndpointNetworkPolicies'] equals Enabled and ['properties.privateLinkServiceNetworkPolicies'] equals Enabled
Impact
—Previously generated alerts will be resolved as Policy_Updated.
Policy Updates—Remediation
  • Azure Function App doesn't redirect HTTP to HTTPS
  • Azure Function App client certificate is disabled
  • Azure Function App doesn't have a Managed Service Identity
Update
—Requires
Microsoft.Web/sites/Write
Code copied to clipboard
Unable to copy due to lack of browser support.
permission to remediate the resource for these policies.
The following policies requires the
Microsoft.Web/sites/config/Write
Code copied to clipboard
Unable to copy due to lack of browser support.
permission to remediate the resource.
  • Azure Function App doesn't use latest TLS version
  • Azure Function App doesn't use HTTP 2.0
Impact
—If the policy has auto-remediation enabled, then previously generated alerts will be resolved as Auto_Remediated; if the policy is manually remediated, then previously generated alerts will be resolved as Manually_Remediated.
GCP Firewall with Inbound rule overly permissive to All Traffic
Updates
—Support for auto-remediation via CLI has been added. The following permissions are required:
  • compute.firewalls.delete
  • compute.networks.updatePolicy
Impact
—If the policy has auto-remediation enabled, then previously generated alerts will be resolved as Auto_Remediated; if the policy is manually remediated, then previously generated alerts will be resolved as Manually_Remediated.
The remediation CLI will delete the overly permissive inbound Firewall rule when manual or auto remediation is performed.
GCP Firewall rule logging disabled
Updates
—Support for auto-remediation via CLI has been added. The following permissions are required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Impact
—If the policy has auto-remediation enabled, then previously generated alerts will be resolved as Auto_Remediated; if the policy is manually remediated, then previously generated alerts will be resolved as Manually_Remediated.
GCP cloud storage bucket with uniform bucket-level access disabled
Updates
—Support for auto-remediation via CLI has been added. The following permission is required:
storage.buckets.update
Impact
—If the policy has auto-remediation enabled, then previously generated alerts will be resolved as Auto_Remediated; if the policy is manually remediated, then previously generated alerts will be resolved as Manually_Remediated.
Policy Deletions
Azure has modified the configuration of alert notification related to roles, email, and alert type for Azure SQL Server. Advanced Threat Protection is now handled through Azure Security Center, and therefore the following policies are deleted:
  • Azure SQL Server advanced data security does not have an email alert recipient
  • Azure SQL server send alerts to field value is not set
  • Azure SQL Server advanced data security does not send alerts to service and co-administrators
Impact
—All existing alerts related to this policy will be resolved as Policy_Deleted.
The following four policies are deleted as there are two OOTB policies that covers the same functionality:
  • AWS S3 Bucket has Global GET Permissions enabled via bucket policy
  • AWS S3 Bucket has Global LIST Permissions enabled via bucket policy
  • AWS S3 Bucket has Global DELETE Permissions enabled via bucket policy
  • AWS S3 Bucket has Global PUT Permissions enabled via bucket policy
The two OOTB policies that covers this functionality are:
  • AWS S3 bucket publicly readable
  • AWS S3 bucket publicly writable
Impact
—All existing open alerts associated with these policies will be resolved as Policy_Deleted.
SQL DB instance backup configuration is not enabled
Update
—The policy has been deleted to avoid alert duplications as there is another out of the box policy with the same functionality.
Impact
—Previously generated alerts will be resolved as Policy_Deleted.

New Features

FEATURE
DESCRIPTION
Support for Third-Party SSO using Google as IdP
You can now set up third-party Single Sign On (SSO) using Google for Prisma Cloud.
Support for Third-Party SSO using OneLogin as IdP
You can now set up third-party SSO using OneLogin for Prisma Cloud.
Keyword search in Alarm Center
The search bar in
Alarm Center
enables you to enter a keyword and search across the alarm title, body, and error messages for alarm results that match the selected filters.
Support for GCP Asia South 2 and Australia SouthEast 2 Regions
Prisma Cloud will ingest data for resources deployed in the Asia South 2 and Australia SouthEast 2 regions on GCP.
To review a list of supported regions, select
Inventory
Assets
Cloud Region
.
Permission Update
Prisma Cloud manual onboarding on Azure Government and China regions
To support manual onboarding of Prisma Cloud instances on Azure Government and Azure China regions, an additional
Microsoft.Compute/virtualMachines/runCommand/action
Code copied to clipboard
Unable to copy due to lack of browser support.
permission has been added to custom role permissions in Azure Management Group and Subscription read-write Terraform scripts.
Update
Default account group updated for AWS Master account
Previously, when you updated the default account group for an AWS Master account from the cloud account
Edit
mode, Prisma Cloud would update the account group for all member accounts.
With this update, now when you update the default account group for an AWS master account from the cloud account
Edit
mode, Prisma Cloud updates the master account default account group only for the new account group and not the existing member accounts. The newly added member accounts inherit account group from the master account.
API Ingestions
AWS Backup
aws-backup-vault-access-policy
Additional permissions required—
  • backup:GetBackupVaultAccessPolicy
  • backup:ListTags
  • backup:ListBackupVaults
AWS Config
aws-configservice-config-rules
Additional permissions required—
  • config:DescribeConfigRules
  • config:GetComplianceDetailsByConfigRule
AWS Config
aws-configservice-compliance-details
Additional permissions required—
  • config:DescribeConfigRules
  • config:GetComplianceDetailsByConfigRule
Azure App Service
azure-app-service-certificate
The permissions are included in the Reader role.
Azure Automation Accounts
azure-automation-account
The permissions are included in the Reader role.
Azure Resource Manager
azure-classic-resource
The permissions are included in the Reader role.
Google Cloud Filestore
gcloud-filestore-instance
The permissions are included in the Project Viewer role.
Google HealthCare
gcloud-healthcare-dataset
The permissions are included in the Project Viewer role.
Google Secrets Manager
gcloud-secretsmanager-secret
The permissions are included in the Project Viewer role.

New Policies and Policy Updates

Prisma Cloud includes three new
Azure Cosmos DB
policies to resolve a critical vulnerability recently reported in Azure Cosmos DB. These were added without an advance notice due to their critical nature.
POLICY UPDATES
DESCRIPTION
New Policies
Azure Cosmos DB key based authentication is enabled
Identifies Cosmos DBs that are enabled with key-based authentication. Disabling key-based metadata write access on Azure Cosmos DB prevents any changes to resources from a client connecting using the account keys.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cosmos-db' AND json.rule = properties.provisioningState equals Succeeded and properties.disableKeyBasedMetadataWriteAccess is false
Azure Cosmos DB Virtual network is not configured
Checks for Azure Cosmos DBs that are not configured with a virtual network.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cosmos-db' AND json.rule = properties.provisioningState equals Succeeded and properties.virtualNetworkRules[*] does not exist
Azure Cosmos DB Private Endpoint Connection is not configured
Identifies Cosmos databases (DBs) that are not configured with a private endpoint connection. You can configure the Azure Cosmos DB private endpoints using Azure Private Link, which allows you to access an Azure Cosmos account from within the virtual network or from any peered virtual network.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cosmos-db' AND json.rule = properties.provisioningState equals Succeeded and properties.privateEndpointConnections[*] does not exist
Policy Updates—RQL
AWS Network Load Balancer (NLB) is not using the latest predefined security policy
The RQL is updated to escape RQL validation check since it was using the reserved word
network
.
The policy RQL is modified as follows:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = 'type equals network and listeners[?any(protocol equals TLS and sslPolicy exists and (sslPolicy does not contain ELBSecurityPolicy-FS-1-2-Res-2020-10 and sslPolicy does not contain ELBSecurityPolicy-TLS-1-2-Ext-2018-06))] exists'
Impact
—No impact on existing alerts.
Policy Updates—Metadata
AWS RDS database instance is publicly accessible
A typo in the description was fixed.
The policy description is updated as follows:
This policy identifies RDS database instances which are publicly accessible. DB instances should not be publicly accessible to protect the integrity of data. Public accessibility of DB instances can be modified by turning on or off the Public accessibility parameter.
Impact
—No impact on existing alerts.

REST API Updates

CHANGE
DESCRIPTION
Updated Response Object for CSPM Policy Endpoints that List Policies
The response objects for the endpoints that list policies include the property
policyClass
. A new value,
exposure
, replaces
misconfiguration
as one of the valid values for this property. The affected endpoints are:
  • GET /policy
  • GET /v2/policy
Update
Changes to cloudType for Uniformity Across all Third-Party Integrations
If you are using Alerts 2.0, the
cloudType
Code copied to clipboard
Unable to copy due to lack of browser support.
field in the alert notifications sent to third-party integrations are displayed in lowercase letters as follows:
  • aws instead of AWS
  • azure instead of Azure
  • gcp instead of Google Cloud Platform
  • alibaba_cloud instead of Alibaba Cloud
  • oci instead of OCI
New Attribute in Response Object for Resource Timeline Endpoint
The response object for the following API endpoint includes a new attribute,
discoveredTs
, which is the UNIX timestamp that identifies when Prisma Cloud first discovered the resource:
POST /resource/timeline

Recommended For You