Features Introduced in August 2022

Learn what's new on Prisma™ Cloud in August 2022.

New Features

FEATURE
DESCRIPTION
Customized Views for Alert Prioritization
Saved views on Prisma Cloud simplifies the challenge of prioritizing alerts. With Saved Views, alerts are organized into appropriate threat vector categories so that your teams can focus on what matters the most. The 8 default views are Overview, Incidents, Exposure, Vulnerabilities, Misconfigurations, CIEM, Malware, and Data, and you can choose to enable or disable these.
Each view includes preset filters that display the most relevant alerts for the category. As an example, the Exposure saved view provides a look at all of the internet exposure alerts. In addition, you can filter on the most important alert criteria to create your own Saved Views, and choose the visualizations and the default sort order of the tabular data.
Adoption Advisor Enhancement
To help you gauge progress on adoption of the Cloud Workload Protection and Cloud Code Security capabilities on Prisma Cloud, the Adoption Advisor now gives you the visibility and guidance of your operationalization journey so you know where you are, what to do, and why.
Alert Rules Policies Filter
The new
Add Filter
option helps you select policies easily based on
Policy Severity
,
Cloud Type
,
Compliance Standard
, and
Policy Label
while creating or editing alert rules.
Once you select all policies based on the filtered results, you can enable
Include new policies matching filter criteria
and Prisma Cloud will automatically scan any such policies added in future.
Prisma Cloud Service in Japan
Prisma Cloud tenant (app.jp.prismacloud.io) is now available for the Japan region.
Update
Prisma Cloud Data Security—New File Extensions Supported for Malware Scanning
Prisma Cloud can now scan the following types of file extensions on your storage buckets for malware:
  • .rar
  • .zip
  • .7z
API Ingestions
Amazon App Mesh
aws-appmesh-mesh
Additional permissions required:
  • appmesh:ListMeshes
  • appmesh:DescribeMesh
  • appmesh:ListTagsForResource
The Security Audit role includes the permissions.
Amazon App Mesh
aws-appmesh-virtual-gateway
Additional permissions required:
  • appmesh:ListVirtualGateways
  • appmesh:DescribeVirtualGateway
  • appmesh:ListMeshes
  • appmesh:ListTagsForResource
The Security Audit role includes the permissions.
This API only ingests virtual gateway resources owned by the same account. It does not ingest when the virtual gateway is a shared resource in another account.
AWS Step Functions
aws-step-functions-statemachine
Additional permissions required:
  • states:ListStateMachines
  • states:DescribeStateMachine
  • states:ListTagsForResource
Azure HDInsight
azure-hdinsight-cluster
Additional permission required:
Microsoft.HDInsight/clusters/read
The Reader role includes the permission.
API Ingestions
Azure Management Group
azure-management-group-entities-list
Additional permissions required:
  • Microsoft.Resources/subscriptions/read (Scope: Per subscription level)
  • Microsoft.Management/managementGroups/descendants/read2 (Scope: Tenancy / Root Management level)
The Reader role includes the permission.
Ensure that you use the right scope for the respective permission. Inherited permissions will not work for the permission
"Microsoft.Resources/subscriptions/read"
. Assign this permission directly to the subscription resource.
Azure Power BI Embedded
azure-powerbi-dedicated-capacities
Additional permissions required:
  • Microsoft.PowerBIDedicated/servers/read
  • Microsoft.PowerBIDedicated/capacities/read
The Reader role includes the permissions.
Azure Synapse Analytics
azure-synapse-spark-configuration
Additional permissions required:
  • Microsoft.Synapse/workspaces/read
  • Microsoft.Synapse/workspaces/sparkConfigurations/read
The Reader role includes the permissions.
Google Cloud Data Loss Prevention
gcloud-dlp-project-inspect-template
Additional permission required:
dlp.inspectTemplates.list
The Viewer role includes this permission.
Google Cloud Data Loss Prevention
gcloud-dlp-project-deidentify-template
Additional permission required:
dlp.deidentifyTemplates.list
The Viewer role includes this permission.
Google Cloud Data Loss Prevention
gcloud-dlp-project-job-trigger
Additional permission required:
dlp.jobTriggers.list
The Viewer role includes this permission.
Update
Google Cloud Storage
Google Cloud Storage
gcloud-storage-buckets-list
The JSON metadata for this API now includes a new field called
serviceAccount
that retrieves the name of the service account linked to each bucket. You can view this metadata on the page when you use a Config or IAM query where the
api.name = gcloud-storage-buckets-list
.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates-RQL
AWS EKS cluster security group overly permissive to all traffic
Changes—
The policy RQL has been updated to check for default cluster Security Groups along with custom attached Security Groups attached to the EKS cluster.
Current RQL—
config from cloud.resource where api.name = 'aws-eks-describe-cluster' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[*].ipv4Ranges[*] contains 0.0.0.0/0 or ipPermissions[*].ipv6Ranges[*] contains ::/0) as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId'; show Y;
Updated RQL—
config from cloud.resource where api.name = 'aws-eks-describe-cluster' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[*].ipv4Ranges[*] contains 0.0.0.0/0 or ipPermissions[*].ipv6Ranges[*] contains ::/0) as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId or $.X.resourcesVpcConfig.clusterSecurityGroupId contains $.Y.groupId'; show Y;
Impact—
Low. New alerts will be triggered for AWS EKS cluster which are having default cluster security group overly permissive to all traffic.
Policy Updates-Metadata
AWS Lambda function managed ENI reachable from untrust internet source
Changes—
The policy subtype has been updated from
Network Event
to
Network Config
.
Impact—
No impact on existing alerts.
Policy Deletion
GCP Kubernetes Engine Clusters have pod security policy disabled
Deleted this policy and Out of the Box (OOB) compliance mappings since pod security status information is no longer available.
Impact—
Low. Previously generated alerts are resolved as Policy_Deleted.
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in August 2022 for details on new Configuration Build policies.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for CIS GKE version 1.2.0
Support is now available for Center for Internet Security (CIS) benchmark for Google Kubernetes Engine (GKE) version 1.2.0. This benchmark includes a set of recommendations for configuring GKE version 1.2 to support a strong security posture.

REST API Updates

CHANGE
DESCRIPTION
Add Entries to Anomaly Trusted List
A new Anomaly Trusted List API endpoint is now available. It enables you to add one or more entries to the Anomaly Trusted List.

New Features

FEATURE
DESCRIPTION
Adoption Advisor PDF Report
Reports in PDF format can now be downloaded directly from your
Adoption Advisor
dashboard.
Adoption summary details such as Adoption Progress and checks can be generated as a PDF report in real time.
Additionally, you can choose whether to include widget data from the last 30, 60, or 90 days in the PDF report.
API Ingestions
Amazon AppFlow
aws-appflow-flow
Additional permissions required:
  • appflow:DescribeFlow
  • appflow:ListFlows
Amazon Grafana
aws-grafana-workspace
Additional permissions required:
  • grafana:DescribeWorkspace
  • grafana:DescribeWorkspaceAuthentication
  • grafana:ListWorkspaces
Amazon Transcribe
aws-transcribe-language-model
Additional permissions required:
  • transcribe:ListLanguageModels
  • transcribe:ListTagsForResource
Azure Active Directory Enterprise Applications
azure-active-directory-enterprise-applications
Additional permission required:
Application.Read.All
Google Cloud Data Loss Prevention
gcloud-dlp-organization-inspect-template
Additional permission required:
dlp.inspectTemplates.list
The Viewer role includes this permission.
Google Cloud Data Loss Prevention
gcloud-dlp-organization-deidentify-template
Additional permission required:
dlp.deidentifyTemplates.list
The Viewer role includes this permission.
Google Firebase Remote Config
gcloud-firebase-remote-config-template
Additional permission required:
cloudconfig.configs.get
The Viewer role includes this permission.
Update
API Ingestion—Amazon Connect
Amazon Connect
aws-connect-instance
This API is updated with an additional field
attributes
in the resource JSON.
Update
API Ingestion—Azure Media Service
Azure Media Service
azure-media-service-account
This API is updated to include the following new fields in the resource JSON:
  • systemData{}
  • identity{}
Update
API Ingestion—Azure Kubernetes Service
Azure Kubernetes Service
azure-kubernetes-cluster
Since the API version is upgraded from 2019-04-01 to 2022-04-01, Prisma Cloud now supports the ingestion of the newly added fields from the resource JSON.
Change in Existing Behaviour
Support for SES Identities Attached with a Single Identity Policy
If you have custom policies on Prisma Cloud using
aws-ses-identities
API where
policies
is used in its RQL, new alerts are generated for the SES identity resources that have only a single identity policy attached.
Impact
—Medium. New alerts are generated based on the resource configuration.
Change in Existing Behavior
Region Names on Investigate Page
You can now see the correct
Region Names
for
gcloud-container-describe-clusters
and
gcloud-redis-instances-list
resources on the
Investigate
page.
Impact
—The existing alerts for these policies are resolved as Resource_Updated and new alerts will be generated based on the resource configuration.
Change in Existing Behavior
Region Support for Google BigQuery
Region support for
gcloud-bigquery-dataset-list
and
gcloud-bigquery-table
APIs have been enabled on Prisma Cloud.
Due to this, all the resources for
gcloud-bigquery-dataset-list
and
gcloud-bigquery-table
APIs display
Region Name
on the
Investigate
page.
Impact
—If there are any existing custom policies containing
Region Name
in its RQL, then new alerts are generated against policy violations.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.8.2
Policy Updates
Description
New Policy
AWS Lambda function URL AuthType set to NONE
Identifies AWS Lambda which has function URL AuthType set to NONE. AuthType determines how Lambda authenticates or authorizes requests to your function URL. When AuthType is set to NONE, Lambda doesn't perform any authentication before invoking your function. It is highly recommended to set AuthType to AWS_IAM for Lambda function URL to authenticate via AWS IAM.
config from cloud.resource where cloud.type = 'aws' AND api.name= 'aws-lambda-list-functions' AND json.rule = authType equal ignore case NONE
AWS DocumentDB cluster deletion protection is disabled
Identifies AWS DocumentDB clusters for which deletion protection is disabled. Enabling deletion protection for DocumentDB clusters prevents irreversible data loss resulting from accidental or malicious operations.
config from cloud.resource where cloud.type = 'aws' AND api.name= 'aws-docdb-db-cluster' AND json.rule = Status contains available and DeletionProtection is false
AWS Neptune Cluster not configured with IAM authentication
Identifies AWS Neptune clusters that are not configured with IAM authentication. If you enable IAM authentication, you don't need to store user credentials in the database because authentication is managed externally using IAM. IAM database authentication ensures the network traffic to and from database clusters is encrypted using Secure Sockets Layer (SSL), provides central access management to your database resources, and enforces the use of profile credentials instead of a password for greater security.
config from cloud.resource where cloud.type = 'aws' AND api.name= 'aws-neptune-db-cluster' AND json.rule = Status contains available and IAMDatabaseAuthenticationEnabled is false
AWS Neptune cluster deletion protection is disabled
Identifies AWS Neptune clusters for which deletion protection is disabled. Enabling deletion protection for Neptune clusters prevents irreversible data loss resulting from accidental or malicious operations.
config from cloud.resource where cloud.type = 'aws' AND api.name= 'aws-neptune-db-cluster' AND json.rule = Status contains available and DeletionProtection is false
AWS Web Application Firewall v2 (AWS WAFv2) logging is disabled
Identifies Web Application Firewall v2s (AWS WAFv2) for which logging is disabled. Enabling WAFv2 logging logs all web requests inspected by the service which can be used for debugging and additional forensics. The logs will help to understand why certain rules are triggered and why certain web requests are blocked. You can also integrate the logs with any SIEM and log analysis tools for further analysis. It is recommended to enable logging on your Web Application Firewall v2s (WAFv2).
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = '(resources.applicationLoadBalancer[*] exists or resources.apiGateway[*] exists or resources.other[*] exists) and loggingConfiguration.resourceArn does not exist'
AWS Web Application Firewall (AWS WAF) Classic logging is disabled
Identifies Classic Web Application Firewalls (AWS WAFs) for which logging is disabled. Enabling WAF logging, logs all web requests inspected by the service which can be used for debugging and additional forensics. The logs will help to understand why certain rules are triggered and why certain web requests are blocked. You can also integrate the logs with any SIEM and log analysis tools for further analysis. It is recommended to enable logging on your Classic Web Application Firewalls (WAFs).
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-waf-classic-web-acl-resource' AND json.rule = '(resources.applicationLoadBalancer[*] exists or resources.apiGateway[*] exists or resources.other[*] exists) and loggingConfiguration.resourceArn does not exist'
Azure Service bus namespace not configured with Azure Active Directory (Azure AD) authentication
Identifies Service bus namespaces that are not configured with Azure Active Directory (Azure AD) authentication and are enabled with local authentication. Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities. It is recommended to configure the Service bus namespaces with Azure AD authentication so that all actions are strongly authenticated.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-service-bus-namespace' AND json.rule = properties.status equals "Active" and (properties.disableLocalAuth does not exist or properties.disableLocalAuth is false)
Azure Virtual Machine vTPM feature is disabled
Identifies Virtual Machines that have Virtual Trusted Platform Module (vTPM) feature disabled. Virtual Trusted Platform Module (vTPM) provide enhanced security to the guest operating system. It is recommended to enable virtual TPM device on supported virtual machines to facilitate measured Boot and other OS security features that require a TPM.
This assessment only applies to trusted launch enabled virtual machines. You can't enable trusted launch on existing virtual machines that were initially created without it.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState equal ignore case "PowerState/running" and ['properties.securityProfile'].['securityType'] equal ignore case "TrustedLaunch" and ['properties.securityProfile'].['uefiSettings'].['vTpmEnabled'] is false
Azure Virtual Machine (Windows) secure boot feature is disabled
Identifies Virtual Machines (Windows) that have the secure boot feature disabled. Enabling Secure Boot on supported Windows virtual machines provides mitigation against malicious and unauthorized changes to the boot chain. The secure boot helps protect your VMs against boot kits, rootkits, and kernel-level malware. So it is recommended to enable Secure boot for Azure Windows virtual machines.
This assessment only applies to trusted launch-enabled Windows virtual machines. You can't enable trusted launch on existing virtual machines that were initially created without it.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState equal ignore case "PowerState/running" and ['properties.storageProfile'].['osDisk'].['osType'] contains "Windows" and ['properties.securityProfile'].['securityType'] equal ignore case "TrustedLaunch" and ['properties.securityProfile'].['uefiSettings'].['secureBootEnabled'] is false
Azure Batch account is not configured with managed identity
Identifies Batch accounts that are not configured with managed identity. Managed identity can be used to authenticate any service that supports Azure AD authentication without having credentials in your code. Storing credentials in a code increases the threat surface in case of exploitation, and also managed identities eliminate the need for developers to manage credentials. So as a security best practice, it is recommended to have the managed identity to your Batch account.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-batch-account' AND json.rule = properties.provisioningState equal ignore case Succeeded and identity does not exist or identity.type equal ignore case "None"
OCI Kubernetes Engine Cluster endpoint is not configured with Network Security Groups
Identifies Kubernetes Engine Clusters endpoint that are not configured with Network Security Groups. Network security groups give fine-grained control of resources and help in restricting network access to your cluster node pools. It is recommended to restrict access to the Cluster node pools by configuring network security groups.
config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-containers-artifacts-kubernetes-cluster' AND json.rule = lifecycleState equal ignore case ACTIVE and endpointConfig exists and (endpointConfig.nsgIds does not exist or endpointConfig.nsgIds equal ignore case "null" or endpointConfig.nsgIds is empty)
OCI Kubernetes Engine Cluster boot volume is not configured with in-transit data encryption
Identifies Kubernetes Engine Clusters that are not configured with in-transit data encryption. Configuring In-transit encryption on clusters boot volumes, encrypts data in transit between the instance, the boot volume, and the block volumes. All the data moving between the instance and the block volume is transferred over an internal and highly secure network. It is recommended that Clusters boot volumes should be configured with in-transit data encryption to minimize risk for sensitive data being leaked.
config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-containers-artifacts-kubernetes-cluster-nodepool' AND json.rule = lifecycleState equal ignore case ACTIVE and (nodeConfigDetails.isPvEncryptionInTransitEnabled equal ignore case "null" or nodeConfigDetails.isPvEncryptionInTransitEnabled does not exist)
OCI Kubernetes Engine Cluster pod security policy not enforced
Identifies Kubernetes Engine Clusters that are not enforced with pod security policy. The Pod Security Policy defines a set of conditions that pods must meet to be accepted by the cluster; when a request to create or update a pod does not meet the conditions in the pod security policy, that request is rejected and an error is returned.
config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-containers-artifacts-kubernetes-cluster' AND json.rule = lifecycleState equal ignore case ACTIVE and options.admissionControllerOptions.isPodSecurityPolicyEnabled is false

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for HITRUST CSF v9.6.0
HITRUST CSF is a framework designed and built to streamline regulatory compliance through a common set of security controls mapped to various standards such as HIPAA, NIST, HITECH, and others, to enable organizations, particularly healthcare, to achieve and maintain full compliance. The CSF contains 14 control categories that comprise 49 control objectives and 156 control specifications.
Support for Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a comprehensive framework that builds on the initial CMMC framework. The CMMC is a security assessment and verification standard for defense contractors serving the Department of Defense (DoD). The framework helps to assess the security levels of companies in the Defense Industrial Base (DIB) to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) against frequent and complex cyberattacks, including Advanced Persistent Threats.
Support for DFS 23 NYCRR 500
The New York DFS Cybersecurity Regulations (23 NYCRR 500) are a new set of regulations by the New York Department of Financial Services (NYDFS) that imposes new cybersecurity requirements on all covered financial institutions.
These regulations are designed to ensure your organization can effectively protect your customers' confidential information from cyberattacks. These include conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cyber security, and creating an incident response plan.
Violation of these regulations can result in fines of up to US$250,000 or one percent of total bank assets.

REST API Updates

CHANGE
DESCRIPTION
Alert Response Count Updates
The alert count limit (maximum number of items that will be returned) in one response is 10,000 for the following Alerts APIs:
If you enter a value >10,000 for the limit, an HTTP 400 response is returned. The supported values are between 1-10,000, the default is 10,000.
Bulk Export Resource Archives
The new Data Service API endpoint is now available. It allows you to retrieve resource archives from AWS S3 for the required time period.

Recommended For You