Features Introduced in February 2022
Learn what's new on Prisma™ Cloud in February 2022.
New Features Introduced in 22.2.2
New Features
FEATURE | DESCRIPTION |
|---|---|
GA Knowledge Center | Knowledge Center provides
in-product and in-context guidance based on your current workflow
without taking you away from the Prisma Cloud app.Access
the Knowledge Center on the lower left navigation to see content
relevant to what you are trying to accomplish at that particular
moment. The topics listed under the Knowledge Center get auto-refreshed
when you move to a different page.  |
Improved Alert Rule Workflow | The improved and intuitive Add Alert Rule modal with
a faster loading UI provides a better user experience. You can select
the optional Alert Notifications, Auto-Remediation, or Auto-Actions Limited
GA settings up front while creating an alert rule. The
Alert Rules also includes a summary page where you can review your selection. |
Improved Integration Status Checks and
Test Notifications | For most integrations, Prisma Cloud performed
periodic checks to identify exceptions or failures in processing notifications,
due to which a large number of test notifications would get generated. Now,
with the on-demand status check on the page, you can
use the Get Status icon to periodically check the
integration status. If
any exception or failure in processing notification occurs, an alarm
gets generated. You can view those under Alarm Center. |
Change in Existing Behavior Removal
of Host Findings Count from Network Anomaly Alert Details | When a policy violation occurs, the count for
the number of host vulnerability findings no longer displays with
the Alert details. The count is visible on the Resource Explorer,
and you can access the link to the Resource Explorer from
the alert details. |
API Ingestions | AWS Storage Gateway aws-storage-gateway-fileshare Additional
permissions required:
|
AWS Storage Gateway aws-storage-gateway-information Additional
permissions required:
| |
Amazon Lightsail aws-lightsail-instance Additional
permission required:
On
Prisma Cloud, the keyonlytags tag value is only
displayed for the resources with key only tags that are present
in AWS Lightsail instances. | |
Azure Log Analytics azure-log-analytics-workspace Additional
permission required:
| |
Update AWS GuardDuty Detector
API | The aws-guardduty-detector API
is updated to include two new fields, accountId and relationshipStatus in
the JSON as shown below:
|
Update Permission in the AWS
CFT | The AWS CFT for Monitor now
includes additional permissions for EKS Auditing for onboarded cloud
accounts. The AWS CFT for Monitor and Protect includes
additional permissions for Agentless scanning on EC2 for onboarded
cloud accounts. |
Removal of Support for Deprecated RQL
Query Format | The config where , event where ,
and network where query formats are no longer supported.
|
New Policies and Policy Updates
See the look ahead updates for
planned features and policy updates for 22.3.1.
POLICY UPDATES | DESCRIPTION |
|---|---|
Policy Updates | Improved Anomalous Compute Provisioning
Policy For improving the detection capability and
reducing the false negative rate of the Anomalous Compute Provisioning policy,
it has been moved from subject-based modeling to cloud account-based
modeling for volumetric detection. The activity from all subjects,
for example, user accounts belonging to the same account are now
part of the model. Those with no or low activity during the training
period qualify for anomaly detection, provided there are sufficient
events at the account level. |
REST API Updates
CHANGE | DESCRIPTION |
|---|---|
New Policy API Endpoint to Validate a
Policy Rule | The following new Policy API endpoint is available.
It enables you to validate a policy rule without creating a policy: |
Host Findings Count in Network Anomaly
Alerts | The response object of the following API request
no longer includes the host findings count:
Specifically:
You
can still access host findings data through:
|
New Features Introduced in 22.2.1
New Features
FEATURE | DESCRIPTION |
|---|---|
Network Exposure of Cloud Resources | Prisma Cloud Network Security helps
enhance your network security posture within public cloud environments.
Its Network Analyzer engine automatically calculates net effective reachability
of your cloud resources such as EC2, RDS, and Redshift ENIs. In
addition, it helps detect unrestricted network access from the Internet
or external network domains. Using the RQL query on the Investigate page, you can understand
the reachability of your cloud assets and also validate if someone exploited
the overly permissive network access. Network
exposure queries are currently supported only on AWS. Network
exposure queries are currently not available in Government and China regions. |
GA Adoption Advisor | Tracking and measuring your adoption of new
features and existing capabilities on Prisma Cloud just got easier! The Adoption Advisor is generally
available to all and gives visibility into your adoption journey,
identifies your unexplored features, helps you make the most of
your investment, and provides guidance on where to take action.  |
ServiceNow Test Incident Improvement | The Prisma Cloud integration with ServiceNow has been improved to
generate only one test incident for the Open , Dismissed ,
or Resolved alert notification states configured
within a notification template. With this change, when you
test a new integration, only a single incident is sent to your ServiceNow
instance as it transitions through the different alert states.  This
change is only applicable to the Incident and Security types in ServiceNow. |
Change in Existing Behavior VM
Count on Asset Inventory | The Asset Inventory page
double counts the number of Azure VMs in your deployment. To
address this issue, the 22.2.1 release includes a fix that will
reduce the Azure VM count in half (drop of around 50%) in the Asset Inventory. With
this change, there is no impact on RQL or licensing. |
API Ingestions | AWS CodeArtifact aws-code-artifact-repository Additional
permissions required:
|
AWS CodeArtifact aws-code-artifact-domain Additional
permissions required:
| |
Azure Traffic Manager azure-traffic-manager-profile Additional
permission required:
| |
Azure Quantum azure-quantum-workspace Additional
permission required:
| |
Google Identity Aware Proxy gcloud-identity-aware-proxy-client Additional
permissions required:
| |
OCI Networking oci-networking-routetable The
permission required is:
| |
OCI Networking oci-networking-internetgateway The
permission required is:
| |
OCI Networking oci-networking-drgattachment The
permission required is:
| |
OCI Networking oci-networking-drg The
permission required is:
| |
OCI Networking oci-networking-localpeeringgateway The
permission required is:
| |
OCI Networking oci-networking-natgateway The
permission required is:
| |
OCI Networking oci-networking-servicegateway The
permission required is:
| |
OCI Networking oci-networking-dns-zone The
permission required is:
| |
Update API Ingestion—SNS Subscription Attributes | The following API will no longer be ingested
due to a high number of alerts generated:
Impact —Alerts
will be resolved as Policy_Updated. |
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
|---|---|
New Policies | Azure MySQL Database Server using
insecure TLS version Identifies Azure MySQL Database
Servers which are using the insecure TLS version. As a best practice,
use the newer TLS version as the minimum TLS version.
|
Azure Storage Account using insecure
TLS version Identifies Azure Storage Accounts
which are using the insecure TLS version. As a best practice, use
the newer TLS version as the minimum TLS version for Azure Storage Accounts.
| |
GCP VM instance OS login overrides
Project metadata OS login configuration Identifies
GCP VM instances where the OS Login configuration is overriding
the project OS Login configuration. Enabling OS Login ensures that
the SSH keys used to connect to instances are mapped with IAM users.
Revoking access to an IAM user will revoke all the SSH keys associated
with that user—it facilitates centralized and automated SSH key
pair management which is useful in handling cases like a response
to compromised SSH key pairs.
| |
New Anomaly Policies | There are 16 new UEBA anomaly policies to
detect user activity from the TOR anonymity network. TOR is often
used by hackers to hide their identity so that their suspicious
operations like creating copies of VM images won’t be traced back
to them. Each policy corresponds to one of the different service
groups available in AWS, Azure, and GCP—for example—analytics, containers,
compute, security, storage, and web. All the policies are classified
as high severity and identify defense evasion and impact attack
tactics listed in the MITRE ATT&CK framework. The policies are disabled
by default, but customers can manually enable them according to
their security needs and the cloud services used in their environments.
Here’s the list of UEBA policies:
|
Reduction of Alerts for Anomaly Policies | The following anomaly policies have a reduction
from high to medium:
The
following anomaly policies have a reduction from high to low:
|
New CNS Policies | AWS Redshift managed ENI reachable
from any untrust internet source Identifies Network
interfaces attached to the Redshift cluster that are exposed to inbound
traffic from any untrusted Internet source. Redshift clusters exposed
to the Internet are prone to external security threats. As a best
practice, restrict network interfaces that are attached to the Redshift
cluster to known hosts or services only. |
AWS RDS managed ENI reachable from
any untrust internet source Identifies Network interfaces
attached to RDS instances that are exposed to inbound traffic from
any untrusted Internet source. RDS instances exposed to the Internet
are prone to external security threats. As a best practice, restrict
network interfaces that are attached to the RDS instance to known
hosts or services only. | |
AWS EC2 instance allows outbound
unrestricted access (0.0.0.0/0) to the internet Identifies
EC2 instances that allow unrestricted outbound traffic to the Internet.
As a best practice, restrict outbound traffic and limit the access
to known hosts or services. | |
AWS EC2 instance that is internet
reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS
port Identifies AWS EC2 instances that are reachable
from the Internet with unrestricted access (0.0.0.0/0) other than
HTTP/HTTPS port. EC2 instances with unrestricted access to the Internet
enable bad actors to use brute force on a system to gain unauthorized
access to the entire network. As a best practice, restrict traffic
from unknown IP addresses and limit the access to known hosts, services,
or specific entities. | |
Delete AWS Security Group Related
Policies | Changes –The following config policies
are deleted because Cloud Network Analyzer provides you alerts for
resources which are truly exposed to the Internet. You can create custom
policies to alert on specific ports:
Impact –Previously generated
alerts will be resolved as Policy_Deleted. The compliance reports
for the following are impacted: APRA (CPS 234) Information Security,
AWS Foundational Security Best Practices standard, CIS Amazon Web
Services Foundations Benchmark v 1.4.0, Cybersecurity Maturity Model
Certification (CMMC) v.1.02, Cloud Security Alliance Cloud Controls
Matrix (CCM) Version 4.0.1, HITRUST v.9.4.2, ISO/IEC 27002:2013,
ISO/IEC 27017:2015, ISO/IEC 27018:2019, Brazilian Data Protection
Law (LGPD), MAS TRM 2021, MLPS 2.0, MPAA Content Protection Best Practices,
NIST SP 800-171 Revision 2, NIST SP 800-172, NIST 800-53 Rev4, NIST
800-53 Rev 5, NIST CSF, New Zealand Information Security Manual
(NZISM v3.4), PCI DSS v3.2.1, Risk Management in Technology (RMiT),
CCPA 2018, CSA CCM v3.0.1, GDPR, HITRUST CSF v9.3, MITRE ATT |
Delete Policies to Reduce
Alert Fatigue | The following policies are
deleted to reduce the number of alerts you receive:
Impact –All open
alerts will be resolved as Policy_Deleted. In addition, the reports
for the following standards are impacted: APRA (CPS 234) Information Security,
AWS Foundational Security Best Practices standard, Cybersecurity
Maturity Model Certification (CMMC) v.1.02, Cloud Security Alliance
Cloud Controls Matrix (CCM) Version 4.0.1, HITRUST v.9.4.2, ISO/IEC 27002:2013,
ISO/IEC 27017:2015, ISO/IEC 27018:2019, Brazilian Data Protection
Law (LGPD), MAS TRM 2021, MLPS 2.0, NIST SP 800-171 Revision 2,
NIST SP 800-172, NIST 800-53 Rev4, NIST 800-53 Rev 5, NIST CSF, New
Zealand Information Security Manual (NZISM v3.4), PCI DSS v3.2.1,
Risk Management in Technology (RMiT), CCPA 2018, CSA CCM v3.0.1,
HITRUST CSF v9.3, MITRE ATT&CK version 6.3, MITRE ATT&CK
v8.2, PIPEDA, SOC 2, and MITRE ATT&CK v10.0. |
Policy Deletion | GCP sink not configured to export
all log entries This policy is deleted as GCP started supporting
two cloud logging buckets named _Default and _Required. These two
buckets can’t be modified and when combined, store all the logs
specific to a GCP project. Impact —Previously generated
alerts will be resolved as Policy_Deleted. |
Policy Updates—Metadata | Reduce Severity of CIS Policies Changes —Cloud
Network Analyzer replaces the following config policies
to alert for resources that are truly exposed to the Internet; the
severity of these policies are changed from high to low:
Impact –No
impact on existing alerts. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
|---|---|
Update Azure CIS v1.4.0 | The Azure Storage Account using
insecure TLS version policy has been mapped to Azure
CIS v1.4.0, section 3.12.Impact —No impact on existing
alerts. The compliance score may be impacted because a new mapping
has been added. |
Change Anomaly Policies No Longer
Mapped to Compliance Standards | Anomaly policies are no longer mapped to
any compliance standard supported on Prisma Cloud, except for the
MITRE ATT&CK framework. |
REST API Updates
CHANGE | DESCRIPTION |
|---|---|
CSPM API for Adoption Advisor | A new Adoption Advisor API enables you to
explore data about the security capabilities you’ve adopted. It
also uncovers unused capabilities that might optimize your security hygiene. |
