Features Introduced in April 2022

Learn what's new on Prisma™ Cloud in April 2022.

New Features Introduced in 22.4.2

New Features

FEATURE
DESCRIPTION
Prisma Cloud Data Security—Scan Resources By True File Type
When scanning files for data security, files are now identified based on the
True File Type
as determined by file metadata, regardless of the file extension for all supported file types.
Alerts are generated whenever a file that is scanned based on the True File Type, violates a Prisma Cloud Data Security policy.
Previously, the
Data Security Settings
page, displayed the aggregate file size for all files supported for Sensitive Data Scan and Malware Scan based on their file extensions under their respective columns. With True File Type, the page now displays the aggregate file size for all eligible files based on their True File Type, regardless of their file extensions. Prisma Cloud Data Security still only supports files up to 20MB.
While adding a data policy, if you select the
File Extension
checkbox, Prisma Cloud Data Security will only scan files based on True File Type, regardless of their file extensions.
Change in Existing Behavior
Prisma Cloud Data Security—Object Scan for Glacier Deep Archive and Glacier Flexible Retrieval Storage Classes
The feature which shows the objects that belong to
Glacier Deep Archive
and
Glacier Flexible Retrieval
(formerly Glacier) as
Un-supported storage class
in Inventory is disabled and objects that belong to these two storage classes will display as
Not Supported
.
Update
Permissions in the GCP Terraform Template
The GCP Terraform template in
Monitor & Protect
mode, used for onboarding GCP accounts on Prisma Cloud, now includes the following permissions to support VM image scanning
compute.disks.create
compute.images.get
compute.images.list
compute.images.useReadOnlycompute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.list
compute.instances.setTagscompute.networks.get
compute.networks.use
compute.networks.useExternalIp
compute.subnetworks.use
compute.subnetworks.useExternalIp
Update
AWS CFT Permissions and API Token Duration
If you are using the Code Security module on Prisma Cloud, the AWS CFTs for onboarding commercial, Gov and China accounts have been updated to include permissions for detecting when resources that are managed using IaC templates, like Terraform or CloudFormation, are modified manually using CLI or Console.
The permission updates include the addition of:
lambda:GetLayerVersion
lambda:GetEventSourceMapping
lambda:GetFunction
s3:ListBucket
sns:GetSubscriptionAttributes
And the managed policy
AWSCloudFormationReadOnlyAccess
is added.
API token duration key is also added
MaxSessionDuration : 43200
; the default was 3600 seconds previously and was not included in the CFT.
API Ingestions
Amazon Lex
aws-lexv2-bot
Additional permissions required:
  • lex:ListTagsForResource
  • lex:ListBotVersions
  • lex:ListBots
  • lex:DescribeBotVersion
  • lex:DescribeBot
Amazon Lex
aws-lex-bot
Additional permissions required:
  • lex:GetBot
  • lex:GetBots
  • lex:GetBotVersions
  • lex:ListTagsForResource
Amazon DocumentDB
aws-docdb-db-cluster
Additional permissions required:
  • rds:DescribeDBClusters
  • rds:ListTagsForResource
Azure App Service
azure-app-service
Additional permission required:
Microsoft.Web/sites/config/list/action
Azure Virtual Network
azure-vmss-instance-public-ips
Additional permissions required:
  • Microsoft.Compute/virtualMachineScaleSets/read
  • Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read
Azure Virtual Network
azure-vmss-network-interface
Additional permissions required:
  • Microsoft.Compute/virtualMachineScaleSets/read
  • Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read
Azure Virtual Desktop
azure-virtual-desktop-workspace
Additional permissions required:
  • Microsoft.DesktopVirtualization/workspaces/read
  • Microsoft.DesktopVirtualization/workspaces/providers/Microsoft.Insights/diagnosticSettings/read
Azure Virtual Desktop
azure-virtual-desktop-session-host
Additional permissions required:
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/read
Google Cloud Recommendation
gcloud-recommender-iam-service-account-insight
Additional permission required:
recommender.iamPolicyInsights.list
Google Organization Policy
gcloud-organization-policy-organization-constraint
Additional permissions required:
  • orgpolicy.constraints.list
  • orgpolicy.policy.get
Google Certificate Authority Service
gcloud-certificate-authority-certificate
Additional permissions required:
  • privateca.caPools.list
  • privateca.certificates.list
OCI Data Catalog
oci-datacatalog-catalogs
Additional permissions required:
  • inspect data-catalogs
  • read data-catalogs
OCI Containers And Artifacts
oci-containers-artifacts-containerrepo
Additional permissions required:
  • inspect repos
  • read repos
OCI has a limit of 50 policy statements. With the addition of the following new APIs, Prisma Cloud will have 56 policy statements in the Terraform file. To successfully ingest these new OCI APIs, you will have to request a service limit increase on the policy statements.
OCI Functions
oci-functions-applications
Additional permissions required:
  • inspect fn-app
  • read fn-app
OCI Service Connector Hub
oci-serviceconnectorhub-serviceconnectors
Additional permissions required:
  • inspect serviceconnectors
  • read serviceconnectors
OCI Database
oci-oracledatabase-databases
Additional permissions required:
  • inspect db-systems
  • inspect db-homes
  • inspect databases

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.5.1.
POLICY UPDATES
DESCRIPTION
New Policies
Instance affected by OMIGOD vulnerability is exposed to network traffic from the internet
Identifies VM instances installed with Open Management Infrastructure (OMI) version vulnerable for remote code execution (CVE-2021-38647) vulnerability, also known as OMIGOD Vulnerability and exposed to network traffic from the Internet. It is recommended to upgrade OMI to the latest version and limit exposure to the Internet.
network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2021-38647')) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Azure Service bus namespace configured with overly permissive network access
Identifies Azure Service bus namespaces (premium tier) configured with overly permissive network access. By default, Service bus namespaces are accessible from the Internet as long as the request comes with valid authentication and authorization. With an IP firewall, you can further restrict it to only a set of IPv4 addresses or IPv4 address ranges. With virtual networks, the network traffic path is secured on both ends. It is recommended to configure the Service bus namespace with an IP firewall or by virtual network so that the Service bus namespace is accessible only to restricted entities.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-service-bus-namespace' AND json.rule = sku.tier equals "Premium" and properties.status equals "Active" and networkRuleSets[*].properties.defaultAction equals "Allow" and networkRuleSets[*].properties.publicNetworkAccess equals Enabled
GCP VPC network not configured with DNS policy with logging enabled
Identifies GCP VPC network that is not configured with logging enabled DNS policy. Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names and evaluated against threat intelligence. It is recommended to enable DNS logging for all the VPC networks.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-networks-list' as X; config from cloud.resource where api.name = 'gcloud-dns-policy' as Y; filter 'not($.Y.networks[*].networkUrl contains $.X.name and $.Y.enableLogging is true)'; show X;
Policy Updates—Metadata
AWS API gateway request parameter is not validated
Changes
—The policy description has been improvised to be more precise.
Current Description
—This policy identifies the AWS API gateways for with the request parameters are not validated. It is recommended to validate the request parameters in the URI, query string, and headers of an incoming request to focus on the validation efforts specific to your application.
Updated Description
—This policy identifies the AWS API gateways for which the request parameters are not validated. When the validation fails, API Gateway fails the request, returns a 400 error response to the caller, and publishes the validation results in CloudWatch Logs. It is recommended to perform basic validation of an API request before proceeding with the integration request to block unvalidated calls to the backend.
Impact
—No impact on policy behavior or existing alerts.
GCP Kubernetes engine clusters have client certificate disabled
Changes
—The cloud type for this policy was incorrect after converting the policy from run-build to build. It is now updated to GCP, which is the correct cloud type.
Impact
—No impact on policy behavior or existing alerts.
Policy Updates—RQL
GCP Kubernetes Engine Clusters have Master authorized networks disabled
Changes
—Auto-remediation CLI has been added to the policy. The RQL has been updated to check clusters with status 'RUNNING'. The recommendation steps have also been updated to match the latest UI changes.
Permission required for CLI execution:
container.clusters.update
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'masterAuthorizedNetworksConfig.[*] is empty or masterAuthorizedNetworksConfig.enabled equals false'
Updated RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = status equals RUNNING and (masterAuthorizedNetworksConfig.[*] is empty or masterAuthorizedNetworksConfig.enabled equals "false")
Impact
—If auto-remediation is enabled for the policy, the alerts will be resolved as ‘REMEDIATED’ or ‘Resource_Updated’. Previously generated alerts with cluster state other than ‘RUNNING’ will be resolved automatically.

REST API Updates

CHANGE
DESCRIPTION
List User Role Types API for Permission Groups Assignments
To view the list of roles associated with administrators/users who have access to Prisma Cloud, the following new API endpoint is available:
GET /user/role/type
When called, it returns an array of all roles administrators/users can belong to.
It includes the following role types:
[ "SYSTEM_ADMIN", "ACCOUNT_ADMIN", "ACCOUNT_READ_ONLY", "SSO_ADMIN", "CLOUD_PROVISIONING_ADMIN", "TENANT_PROVISIONING_ADMIN", "PRISMA_SERVICE_USER", "ACCOUNT_AND_CLOUD_PROVISIONING_ADMIN", "BUILD_AND_DEPLOY_SECURITY", "BUILD_AND_DEPLOY_SECURITY_CI", "COMPUTE_ADMIN", "NETWORK_SECURITY_OPERATOR", "NETWORK_SECURITY_OPERATOR_READ_ONLY", "COMPUTE_ACCOUNT_ADMIN", "DEVELOPER", "COMPUTE_ACCOUNT_READ_ONLY" ]

New Features Introduced in 22.4.1

New Features

FEATURE
DESCRIPTION
API Ingestions
Amazon Neptune
aws-neptune-db-instance
Additional permissions required:
  • rds:DescribeDBInstances
  • rds:ListTagsForResource
Amazon Neptune
aws-neptune-db-cluster
Additional permissions required:
  • rds:DescribeDBClusters
  • rds:ListTagsForResource
AWS MediaStore
aws-mediastore-container
Additional permissions required:
  • mediastore:ListTagsForResource
  • mediastore:ListContainers
  • mediastore:GetCorsPolicy
  • mediastore:GetContainerPolicy
Google Access Approval
gcloud-access-approval-project-approval-setting
Additional permission required:
accessapproval.settings.get
Google Essential Contacts
gcloud-essential-contacts-organization-contact
Additional permission required:
essentialcontacts.contacts.list
Google Service Directory
gcloud-service-directory-namespace-service
Additional permissions required:
  • servicedirectory.endpoints.list
  • servicedirectory.namespaces.list
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
OCI Bastion
oci-bastion
Additional permissions required:
  • inspect bastion-family
  • read bastion-family
Azure App Service
azure-app-service
Additional permission required:
"Microsoft.Web/sites/config/list/action"

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.4.2.
POLICY UPDATES
DESCRIPTION
New Policies
Azure Microsoft Defender for Cloud set to Off for Containers
Identifies Azure Microsoft Defender for Cloud that has defender setting for Containers set to Off. As a best practice, enable Azure Defender for Containers.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(name equals Containers and properties.pricingTier does not equal Standard)] exists
-
Instance affected by SpringShell vulnerability is exposed to network traffic from the internet
Identifies instances installed with the Java Spring Framework version vulnerable to arbitrary code execution (CVE-2022-22963 or CVE-2022-22965) and are exposed to network traffic from the Internet. As a best practice, upgrade the Java Spring Framework version to the latest version to limit exposure to the Internet.
network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965')) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
NOTE: This policy is effective only when Prisma Compute is enabled in your environment.
GCP Firewall rule exposes GKE clusters by allowing all traffic on read-only port (10255)
Identifies GCP Firewall rule that allows all traffic on read-only port (10255), which exposes GKE clusters. In GKE, Kubelet exposes a read-only port 10255 which shows the configurations of all pods on the cluster at the /pods API endpoint. GKE itself does not expose this port to the Internet because the default project firewall configuration blocks external access. However, it is possible to inadvertently expose this port publicly on GKE clusters by creating a Google Compute Engine VPC firewall for GKE nodes that allows traffic from all source ranges on all the ports. This configuration publicly exposes all pod configurations, which might contain sensitive information.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(10255,10255) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp or IPProtocol contains "all")))] exists as X; config from cloud.resource where api.name = 'gcloud-container-describe-clusters' AND json.rule = status equals RUNNING as Y; filter '$.X.network contains $.Y.networkConfig.network' ; show X;
New Configuration Policies for Build-Time Checks
The following new policies are being available to scan your environments monitored by the Code Security module on Prisma Cloud.
  • Deletion protection disabled for load balancer
  • Deletion protection disabled for load balancer
  • RDS instances do not have Multi-AZ enabled
  • AWS QLDB ledger has deletion protection is disabled
  • AWS WAF does not have associated rules
  • AWS WAF Web Access Control Lists logging is disabled
  • AWS Kinesis Video Stream not encrypted using Customer Managed Key
  • AWS FSX Windows filesystem not encrypted using Customer Managed Key
  • AWS Image Builder component not encrypted using Customer Managed Key
  • AWS S3 Object Copy not encrypted using Customer Managed Key
  • AWS Doc DB not encrypted using Customer Managed Key
  • AWS EBS Snapshot Copy not encrypted using Customer Managed Key
  • AWS S3 bucket Object not encrypted using Customer Managed Key
  • AWS Sagemaker domain not encrypted using Customer Managed Key
  • AWS EBS Volume not encrypted using Customer Managed Key
  • AWS Lustre file system not configured with CMK key
  • AWS Elasticache replication group not configured with CMK key
  • WAF enables message lookup in Log4j2
  • AWS EBS volumes are not encrypted
  • EBS volumes do not have encrypted launch configurations
  • Not all data stored in Aurora is securely encrypted at rest
  • AWS resources that support tags do not have Tags
  • Not all data stored in the EBS snapshot is securely encrypted
  • Active Directory is not used for authentication for Service Fabric
  • Secure transfer required is not enabled
  • Azure Key Vault Keys does not have expiration date
  • Azure Key Vault secrets does not have expiration date
  • Azure resources that support tags do not have tags
  • RSASHA1 is used for Zone-Signing and Key-Signing Keys in Cloud DNS DNSSEC
  • Boot disks for instances do not use CSEKs
  • Default Service Account is used at project level
  • Google storage buckets are not encrypted
  • GCP resources that support labels do not have labels
  • GitHub organization security settings do not include 2FA capability
  • GitHub organization security settings do not include SSO
  • GitHub organization security settings do not have IP allow list enabled
  • GitHub branch protection rules do not include signed commits
  • Github merge requests should require at least 2 approvals
  • Gitlab branch protection rules allows force pushes
  • Gitlab organization has groups with no two factor authentication configured
  • NGINX Ingress annotation snippets contains LUA code execution
  • NGINX Ingress has annotation snippets
  • NGINX Ingress has annotation snippets which contain alias statements
  • AWS Postgres RDS have Query Logging disabled
  • AWS WAF2 does not have a Logging Configuration
  • Storage Account name does not follow naming rules
  • AWS IAM policies that allow full administrative privileges are created
  • AWS Elasticsearch is not configured inside a VPC
  • AWS S3 bucket ACL grants READ permission to everyone
  • AWS IAM policy documents do not allow * (asterisk) as a statement's action
  • AWS S3 Buckets has block public access setting disabled
  • AWS S3 Bucket BlockPublicPolicy is set to True
  • AWS S3 bucket IgnorePublicAcls is set to True
  • AWS S3 bucket RestrictPublicBucket is set to True
  • AWS S3 Bucket has an ACL defined which allows public WRITE access
  • AWS API gateway methods are publicly accessible
  • AWS IAM role allows all services or principals to be assumed
  • Azure Network Security Group allows all traffic on SSH (port 22)
  • Azure SQL Servers Firewall rule allow ingress access from 0.0.0.0/0
  • Azure application gateway does not have WAF enabled
  • Azure storage account has a blob container that is publicly accessible
  • Azure storage account does allow public access
  • Azure AKS cluster network policies are not enforced
  • Azure App Service Web app does not have a Managed Service Identity
  • Azure App Service Web app doesn't use latest .Net framework version
  • Azure App Service Web app does not use latest PHP version
  • Azure App Service Web app does not use latest Python version
  • Azure App Service Web app does not use latest Java version
  • Azure RDP Internet access is not restricted
  • GCP SQL database is publicly accessible
  • GCP SQL database instance does not have backup configuration enabled
  • GCP IAM user are assigned Service Account User or Service Account Token creator roles at project level
  • GCP IAM Service account does have admin privileges
  • GCP SQL Instances do not have SSL configured for incoming connections
  • GCP Cloud SQL database instances have public IPs
  • Azure Storage account Encryption CMKs Disabled
  • Azure SQL Server ADS Vulnerability Assessment (VA) 'Send scan reports to' is not configured
  • Azure SQL Server ADS Vulnerability Assessment (VA) 'Also send email notifications to admins and subscription owners' is disabled
  • Azure SQL servers which doesn't have Azure Active Directory admin configured
  • Azure Virtual Machines does not utilise Managed Disks
  • AWS CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
  • AWS CloudWatch Log groups not configured with definite retention days
  • AWS EC2 instance detailed monitoring disabled
  • AWS Amazon RDS instances Enhanced Monitoring is disabled
  • AWS Secrets Manager secret is not encrypted using KMS CMK
  • Azure Application Gateway Web application firewall (WAF) policy rule for Remote Command Execution is disabled
New Configuration Policies for Run-Time and Build-Time Checks
  • Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
  • Ensure cosmosdb does not allow privileged escalation by restricting management plane changes
  • Ensure Front Door WAF prevents message lookup in Log4j2
  • Ensure Application Gateway WAF prevents message lookup in Log4j2
  • Ensure that 'Send email notification for high severity alerts' is set to 'On'
  • Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
  • Ensure that IP forwarding is not enabled on Instances
  • Ensure Compute instances are launched with Shielded VM enabled
  • Ensure Cloud Armor prevents message lookup in Log4j2
Policy Updates—RQL
The following policies have been deleted:
Azure Microsoft Defender for Cloud is set to Off for Kubernetes
Azure Microsoft Defender for Cloud is set to Off for Container Registries
Changes
—The two services Microsoft Defender for Kubernetes and container registries have been replaced with Microsoft Defender for Containers. The corresponding policies and compliance references have been deleted.
Impact
—Previously generated alerts will be resolved as Policy_Deleted.
Azure Security Center Defender plans is set to Off
Changes
—The policy RQL has been updated to factor deprecated features in the query. The policy recommendation has also been updated.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(properties.pricingTier does not equal Standard and (properties.deprecated does not exist or properties.deprecated is false))] exists
Impact
—Previously generated alerts will be resolved as Policy_Updated.
GCP VM instance with the external IP address
Changes
—The RQL has been updated.
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-instances-list' AND json.rule = 'status equals RUNNING and networkInterfaces[*].accessConfigs exists and (name does not start with gke- and name does not contains default-pool)'
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-instances-list' AND json.rule = status equals RUNNING and networkInterfaces[*].accessConfigs exists and (name does not start with gke- and name does not contain default-pool)
Impact
—No impact on existing alerts.
GCP GCR Container Vulnerability Scanning is disabled
Changes
—The RQL, recommendation steps, and API have been modified: The RQL has been updated to match the updated JSON response of the
gcloud-services-list
API. The recommendation steps have been updated to reflect the latest UI updates. In addition, the
gcloud-services-list
API has been modified and due to the ingestion change, the policy is updated to match the API change.
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-services-list' AND json.rule = services[?any( config.name contains containerscanning.googleapis.com and state contains ENABLED)] does not exist
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-services-list' AND json.rule = services[?any(name contains containerscanning.googleapis.com and state contains ENABLED)] does not exist
Impact
—Previously generated alerts will be resolved as Policy_Updated. This has a low impact on alerts.
GCP BigQuery dataset is publicly accessible
Changes
—The
gcloud-bigquery-dataset-list
API is moved to Cloud Asset Inventory which changes the access control list to IAM binding in the JSON response. As a result of the ingestion change, the policy is modified to match the updated API response change. In addition, the recommendation steps have also been updated to reflect the latest UI updates.
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-bigquery-dataset-list' AND json.rule = "acl[?(@.entity.iamMember=='allUsers' || @.entity.identifier=='allAuthenticatedUsers')] exists"
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-bigquery-dataset-list' AND json.rule = iamPolicy.bindings[?any(members[*] equals "allUsers" or members[*] equals "allAuthenticatedUsers")] exists
Impact
—No impact on existing alerts.
16 New Anomaly Policies that Map to MITRE ATT&CK v10.0
There are 16 new UEBA Anomaly policies to detect user activity from the TOR anonymity network. Each policy corresponds to one of the different service groups available in AWS, Azure, and GCP—for example—analytics, containers, compute, security, storage, and web. All the policies are classified as high severity and identify defense evasion and impact attack tactics listed in the MITRE ATT&CK framework. The policies are disabled by default, but customers can manually enable them according to their security needs and the cloud services used in their environments. Here’s the list of UEBA policies:
  • Suspicious activity in Security services
  • Suspicious activity in Networking services
  • Suspicious activity in Analytics services
  • Suspicious activity in Monitoring / Management services
  • Suspicious activity in Database services
  • Suspicious activity in Compute services
  • Suspicious activity in Storage services
  • Suspicious activity in Application Integration services
  • Suspicious activity in Containers services
  • Suspicious activity in AI / ML services
  • Suspicious activity in Migration services
  • Suspicious activity in Dev Tools services
  • Suspicious activity in Web services
  • Suspicious activity in IoT services
  • Suspicious activity in Media services
  • Suspicious login activity

Recommended For You