Features Introduced in August 2022
Learn what’s new on Prisma™ Cloud in August 2022.
New Features Introduced in 22.8.2
New Features
FEATURE | DESCRIPTION |
Customized Views for Alert Prioritization | Saved views on Prisma Cloud simplifies the challenge of prioritizing alerts. With Saved Views, alerts are organized into appropriate threat vector categories so that your teams can focus on what matters the most. The 8 default views are Overview, Incidents, Exposure, Vulnerabilities, Misconfigurations, CIEM, Malware, and Data, and you can choose to enable or disable these. Each view includes preset filters that display the most relevant alerts for the category. As an example, the Exposure saved view provides a look at all of the internet exposure alerts. In addition, you can filter on the most important alert criteria to create your own Saved Views, and choose the visualizations and the default sort order of the tabular data.  |
Adoption Advisor Enhancement
| To help you gauge progress on adoption of the Cloud Workload Protection and Cloud Code Security capabilities on Prisma Cloud, the Adoption Advisor now gives you the visibility and guidance of your operationalization journey so you know where you are, what to do, and why.  |
Alert Rules Policies Filter | The new Add Filter option helps you select policies easily based on Policy Severity , Cloud Type , Compliance Standard , and Policy Label while creating or editing alert rules.Once you select all policies based on the filtered results, you can enable Include new policies matching filter criteria and Prisma Cloud will automatically scan any such policies added in future. |
Prisma Cloud Service in Japan | Prisma Cloud tenant (app.jp.prismacloud.io) is now available for the Japan region. |
Update Prisma Cloud Data Security—New File Extensions Supported for Malware Scanning | Prisma Cloud can now scan the following types of file extensions on your storage buckets for malware:
|
API Ingestions | Amazon App Mesh aws-appmesh-mesh Additional permissions required:
The Security Audit role includes the permissions. |
Amazon App Mesh aws-appmesh-virtual-gateway Additional permissions required:
The Security Audit role includes the permissions. This API only ingests virtual gateway resources owned by the same account. It does not ingest when the virtual gateway is a shared resource in another account. | |
AWS Step Functions aws-step-functions-statemachine Additional permissions required:
| |
Azure HDInsight azure-hdinsight-cluster Additional permission required:
The Reader role includes the permission. | |
API Ingestions | Azure Management Group azure-management-group-entities-list Additional permissions required:
The Reader role includes the permission. Ensure that you use the right scope for the respective permission.Inherited permissions will not work for the permission . Assign this permission directly to the subscription resource. |
Azure Power BI Embedded azure-powerbi-dedicated-capacities Additional permissions required:
The Reader role includes the permissions. | |
Azure Synapse Analytics azure-synapse-spark-configuration Additional permissions required:
The Reader role includes the permissions. | |
Google Cloud Data Loss Prevention gcloud-dlp-project-inspect-template Additional permission required:
The Viewer role includes this permission. | |
Google Cloud Data Loss Prevention gcloud-dlp-project-deidentify-template Additional permission required:
The Viewer role includes this permission. | |
Google Cloud Data Loss Prevention gcloud-dlp-project-job-trigger Additional permission required:
The Viewer role includes this permission. | |
Update Google Cloud Storage | Google Cloud Storage gcloud-storage-buckets-list The JSON metadata for this API now includes a new field called serviceAccount that retrieves the name of the service account linked to each bucket. You can view this metadata on the page when you use a Config or IAM query where the . |
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates-RQL | AWS EKS cluster security group overly permissive to all traffic Changes— The policy RQL has been updated to check for default cluster Security Groups along with custom attached Security Groups attached to the EKS cluster.Current RQL—
Updated RQL—
Impact— Low. New alerts will be triggered for AWS EKS cluster which are having default cluster security group overly permissive to all traffic. |
Policy Updates-Metadata | AWS Lambda function managed ENI reachable from untrust internet source Changes— The policy subtype has been updated from Network Event to Network Config .Impact— No impact on existing alerts. |
Policy Deletion | GCP Kubernetes Engine Clusters have pod security policy disabled Deleted this policy and Out of the Box (OOB) compliance mappings since pod security status information is no longer available. Impact— Low. Previously generated alerts are resolved as Policy_Deleted. |
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in August 2022 for details on new Configuration Build policies. | |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Support for CIS GKE version 1.2.0 | Support is now available for Center for Internet Security (CIS) benchmark for Google Kubernetes Engine (GKE) version 1.2.0. This benchmark includes a set of recommendations for configuring GKE version 1.2 to support a strong security posture. |
REST API Updates
CHANGE | DESCRIPTION |
Add Entries to Anomaly Trusted List | A new Anomaly Trusted List API endpoint is now available. It enables you to add one or more entries to the Anomaly Trusted List. |
New Features Introduced in 22.8.1
New Features
FEATURE | DESCRIPTION |
Adoption Advisor PDF Report | Reports in PDF format can now be downloaded directly from your Adoption Advisor dashboard.Adoption summary details such as Adoption Progress and checks can be generated as a PDF report in real time. Additionally, you can choose whether to include widget data from the last 30, 60, or 90 days in the PDF report.  |
API Ingestions | Amazon AppFlow aws-appflow-flow Additional permissions required:
|
Amazon Grafana aws-grafana-workspace Additional permissions required:
| |
Amazon Transcribe aws-transcribe-language-model Additional permissions required:
| |
Azure Active Directory Enterprise Applications azure-active-directory-enterprise-applications Additional permission required:
| |
Google Cloud Data Loss Prevention gcloud-dlp-organization-inspect-template Additional permission required:
The Viewer role includes this permission. | |
Google Cloud Data Loss Prevention gcloud-dlp-organization-deidentify-template Additional permission required:
The Viewer role includes this permission. | |
Google Firebase Remote Config gcloud-firebase-remote-config-template Additional permission required:
The Viewer role includes this permission. | |
Update API Ingestion—Amazon Connect | Amazon Connect aws-connect-instance This API is updated with an additional field attributes in the resource JSON. |
Update API Ingestion—Azure Media Service | Azure Media Service azure-media-service-account This API is updated to include the following new fields in the resource JSON:
|
Update API Ingestion—Azure Kubernetes Service | Azure Kubernetes Service azure-kubernetes-cluster Since the API version is upgraded from 2019-04-01 to 2022-04-01, Prisma Cloud now supports the ingestion of the newly added fields from the resource JSON. |
Change in Existing Behaviour Support for SES Identities Attached with a Single Identity Policy | If you have custom policies on Prisma Cloud using aws-ses-identities API where policies is used in its RQL, new alerts are generated for the SES identity resources that have only a single identity policy attached.Impact— Medium. New alerts are generated based on the resource configuration. |
Change in Existing Behavior Region Names on Investigate Page | You can now see the correct Region Names for gcloud-container-describe-clusters and gcloud-redis-instances-list resources on the Investigate page.Impact— The existing alerts for these policies are resolved as Resource_Updated and new alerts will be generated based on the resource configuration. |
Change in Existing Behavior Region Support for Google BigQuery | Region support for gcloud-bigquery-dataset-list and gcloud-bigquery-table APIs have been enabled on Prisma Cloud.Due to this, all the resources for gcloud-bigquery-dataset-list and gcloud-bigquery-table APIs display Region Name on the Investigate page.Impact— If there are any existing custom policies containing Region Name in its RQL, then new alerts are generated against policy violations. |
New Policies and Policy Updates
See the look ahead updates for planned features and policy updates for 22.8.2
Policy Updates | Description |
New Policy | AWS Lambda function URL AuthType set to NONE Identifies AWS Lambda which has function URL AuthType set to NONE. AuthType determines how Lambda authenticates or authorizes requests to your function URL. When AuthType is set to NONE, Lambda doesn’t perform any authentication before invoking your function. It is highly recommended to set AuthType to AWS_IAM for Lambda function URL to authenticate via AWS IAM.
|
AWS DocumentDB cluster deletion protection is disabled Identifies AWS DocumentDB clusters for which deletion protection is disabled. Enabling deletion protection for DocumentDB clusters prevents irreversible data loss resulting from accidental or malicious operations.
| |
AWS Neptune Cluster not configured with IAM authentication Identifies AWS Neptune clusters that are not configured with IAM authentication. If you enable IAM authentication, you don’t need to store user credentials in the database because authentication is managed externally using IAM. IAM database authentication ensures the network traffic to and from database clusters is encrypted using Secure Sockets Layer (SSL), provides central access management to your database resources, and enforces the use of profile credentials instead of a password for greater security.
| |
AWS Neptune cluster deletion protection is disabled Identifies AWS Neptune clusters for which deletion protection is disabled. Enabling deletion protection for Neptune clusters prevents irreversible data loss resulting from accidental or malicious operations.
| |
AWS Web Application Firewall v2 (AWS WAFv2) logging is disabled Identifies Web Application Firewall v2s (AWS WAFv2) for which logging is disabled. Enabling WAFv2 logging logs all web requests inspected by the service which can be used for debugging and additional forensics. The logs will help to understand why certain rules are triggered and why certain web requests are blocked. You can also integrate the logs with any SIEM and log analysis tools for further analysis. It is recommended to enable logging on your Web Application Firewall v2s (WAFv2).
| |
AWS Web Application Firewall (AWS WAF) Classic logging is disabled Identifies Classic Web Application Firewalls (AWS WAFs) for which logging is disabled. Enabling WAF logging, logs all web requests inspected by the service which can be used for debugging and additional forensics. The logs will help to understand why certain rules are triggered and why certain web requests are blocked. You can also integrate the logs with any SIEM and log analysis tools for further analysis. It is recommended to enable logging on your Classic Web Application Firewalls (WAFs).
| |
Azure Service bus namespace not configured with Azure Active Directory (Azure AD) authentication Identifies Service bus namespaces that are not configured with Azure Active Directory (Azure AD) authentication and are enabled with local authentication. Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities. It is recommended to configure the Service bus namespaces with Azure AD authentication so that all actions are strongly authenticated.
| |
Azure Virtual Machine vTPM feature is disabled Identifies Virtual Machines that have Virtual Trusted Platform Module (vTPM) feature disabled. Virtual Trusted Platform Module (vTPM) provide enhanced security to the guest operating system. It is recommended to enable virtual TPM device on supported virtual machines to facilitate measured Boot and other OS security features that require a TPM. This assessment only applies to trusted launch enabled virtual machines. You can’t enable trusted launch on existing virtual machines that were initially created without it.
| |
Azure Virtual Machine (Windows) secure boot feature is disabled Identifies Virtual Machines (Windows) that have the secure boot feature disabled. Enabling Secure Boot on supported Windows virtual machines provides mitigation against malicious and unauthorized changes to the boot chain. The secure boot helps protect your VMs against boot kits, rootkits, and kernel-level malware. So it is recommended to enable Secure boot for Azure Windows virtual machines. This assessment only applies to trusted launch-enabled Windows virtual machines. You can’t enable trusted launch on existing virtual machines that were initially created without it.
| |
Azure Batch account is not configured with managed identity Identifies Batch accounts that are not configured with managed identity. Managed identity can be used to authenticate any service that supports Azure AD authentication without having credentials in your code. Storing credentials in a code increases the threat surface in case of exploitation, and also managed identities eliminate the need for developers to manage credentials. So as a security best practice, it is recommended to have the managed identity to your Batch account.
| |
OCI Kubernetes Engine Cluster endpoint is not configured with Network Security Groups Identifies Kubernetes Engine Clusters endpoint that are not configured with Network Security Groups. Network security groups give fine-grained control of resources and help in restricting network access to your cluster node pools. It is recommended to restrict access to the Cluster node pools by configuring network security groups.
| |
OCI Kubernetes Engine Cluster boot volume is not configured with in-transit data encryption Identifies Kubernetes Engine Clusters that are not configured with in-transit data encryption. Configuring In-transit encryption on clusters boot volumes, encrypts data in transit between the instance, the boot volume, and the block volumes. All the data moving between the instance and the block volume is transferred over an internal and highly secure network. It is recommended that Clusters boot volumes should be configured with in-transit data encryption to minimize risk for sensitive data being leaked.
| |
OCI Kubernetes Engine Cluster pod security policy not enforced Identifies Kubernetes Engine Clusters that are not enforced with pod security policy. The Pod Security Policy defines a set of conditions that pods must meet to be accepted by the cluster; when a request to create or update a pod does not meet the conditions in the pod security policy, that request is rejected and an error is returned.
|
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Support for HITRUST CSF v9.6.0 | HITRUST CSF is a framework designed and built to streamline regulatory compliance through a common set of security controls mapped to various standards such as HIPAA, NIST, HITECH, and others, to enable organizations, particularly healthcare, to achieve and maintain full compliance. The CSF contains 14 control categories that comprise 49 control objectives and 156 control specifications. |
Support for Cybersecurity Maturity Model Certification (CMMC) | The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a comprehensive framework that builds on the initial CMMC framework. The CMMC is a security assessment and verification standard for defense contractors serving the Department of Defense (DoD). The framework helps to assess the security levels of companies in the Defense Industrial Base (DIB) to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) against frequent and complex cyberattacks, including Advanced Persistent Threats. |
Support for DFS 23 NYCRR 500 | The New York DFS Cybersecurity Regulations (23 NYCRR 500) are a new set of regulations by the New York Department of Financial Services (NYDFS) that imposes new cybersecurity requirements on all covered financial institutions. These regulations are designed to ensure your organization can effectively protect your customers' confidential information from cyberattacks. These include conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cyber security, and creating an incident response plan. Violation of these regulations can result in fines of up to US$250,000 or one percent of total bank assets. |
REST API Updates
CHANGE | DESCRIPTION |
Alert Response Count Updates | The alert count limit (maximum number of items that will be returned) in one response is 10,000 for the following Alerts APIs: If you enter a value >10,000 for the limit, an HTTP 400 response is returned. The supported values are between 1-10,000, the default is 10,000. |
Bulk Export Resource Archives | The new Data Service API endpoint is now available. It allows you to retrieve resource archives from AWS S3 for the required time period. |
