: Features Introduced in February 2022
Focus
Focus

Features Introduced in February 2022

Table of Contents

Features Introduced in February 2022

Learn what’s new on Prisma™ Cloud in February 2022.

New Features Introduced in 22.2.2

New Features

FEATURE
DESCRIPTION
GA
Knowledge Center
Knowledge Center
provides in-product and in-context guidance based on your current workflow without taking you away from the Prisma Cloud app.
Access the Knowledge Center on the lower left navigation to see content relevant to what you are trying to accomplish at that particular moment. The topics listed under the Knowledge Center get auto-refreshed when you move to a different page.
Improved Alert Rule Workflow
The improved and intuitive Add Alert Rule modal with a faster loading UI provides a better user experience. You can select the optional Alert Notifications, Auto-Remediation, or Auto-Actions ^Limited GA^ settings up front while creating an alert rule.
The Alert Rules also includes a summary page where you can review your selection.
API Ingestions
AWS Storage Gateway
aws-storage-gateway-fileshare
Additional permissions required:
  • storagegateway:ListFileShares
  • storagegateway:DescribeNFSFileShares
  • storagegateway:DescribeSMBFileShares
AWS Storage Gateway
aws-storage-gateway-information
Additional permissions required:
  • storagegateway:ListGateways
  • storagegateway:DescribeGatewayInformation
  • storagegateway:DescribeSMBSettings
Amazon Lightsail
aws-lightsail-instance
Additional permission required:
lightsail:GetInstances
On Prisma Cloud, the keyonlytags tag value is only displayed for the resources with key only tags that are present in AWS Lightsail instances.
Azure Log Analytics
azure-log-analytics-workspace
Additional permission required:
Microsoft.OperationalInsights/workspaces/read
Update
AWS GuardDuty Detector API
The
aws-guardduty-detector
API is updated to include two new fields,
accountId
and
relationshipStatus
in the JSON as shown below:
"master": { "accountId": "375187248419", "relationshipStatus": "Enabled" }
Update
Permission in the AWS CFT
The AWS CFT for
Monitor
now includes additional permissions for EKS Auditing for onboarded cloud accounts. The AWS CFT for
Monitor and Protect
includes additional permissions for Agentless scanning on EC2 for onboarded cloud accounts.
Removal of Support for Deprecated RQL Query Format
The
config where
,
event where
, and
network where
query formats are no longer supported.
  • Replace
    config where <rest of the query>
    with
    config from cloud.resource where <rest of the query>
  • Replace
    event where <rest of the query>
    with
    event from cloud.audit_logs where <rest of the query>
  • Replace
    network where <rest of the query>
    with
    network from vpc.flow_records where <rest of the query>

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.3.1.
POLICY UPDATES
DESCRIPTION
Policy Updates
Improved Anomalous Compute Provisioning Policy
For improving the detection capability and reducing the false negative rate of the
Anomalous Compute Provisioning
policy, it has been moved from subject-based modeling to cloud account-based modeling for volumetric detection. The activity from all subjects, for example, user accounts belonging to the same account are now part of the model. Those with no or low activity during the training period qualify for anomaly detection, provided there are sufficient events at the account level.

REST API Updates

CHANGE
DESCRIPTION
New Policy API Endpoint to Validate a Policy Rule
The following new Policy API endpoint is available. It enables you to validate a policy rule without creating a policy:
Host Findings Count in Network Anomaly Alerts
The response object of the following API request no longer includes the host findings count:
  • GET /alert/{id}
Specifically:
  • For a network anomaly alert where the source host is the reported vulnerability, the response object no longer includes attribute
    metadata.anomalyDetail.srcHost.hostFindingCount
    .
  • For a network anomaly alert where the target host is the reported vulnerability:** The response object no longer includes attribute
    targetHostFinding
    .
    • Response object attribute
      metadata.anomalyDetail.features[
      .targetHost.details[].hostFindingCount] is null.
You can still access host findings data through:
  • GET /resource/external_finding

New Features Introduced in 22.2.1

New Features

FEATURE
DESCRIPTION
Network Exposure of Cloud Resources
Prisma Cloud Network Security helps enhance your network security posture within public cloud environments. Its Network Analyzer engine automatically calculates net effective reachability of your cloud resources such as EC2, RDS, and Redshift ENIs. In addition, it helps detect unrestricted network access from the Internet or external network domains.
Using the RQL query
config from network where
on the
Investigate
page, you can understand the reachability of your cloud assets and also validate if someone exploited the overly permissive network access.
Network exposure queries are currently supported only on AWS.
Network exposure queries are currently not available in Government and China regions.
GA
Adoption Advisor
Tracking and measuring your adoption of new features and existing capabilities on Prisma Cloud just got easier!
The Adoption Advisor is generally available to all and gives visibility into your adoption journey, identifies your unexplored features, helps you make the most of your investment, and provides guidance on where to take action.
ServiceNow Test Incident Improvement
The Prisma Cloud integration with ServiceNow has been improved to generate only one test incident for the
Open
,
Dismissed
, or
Resolved
alert notification states configured within a notification template.
With this change, when you test a new integration, only a single incident is sent to your ServiceNow instance as it transitions through the different alert states.
This change is only applicable to the Incident and Security types in ServiceNow.
Change in Existing Behavior
VM Count on Asset Inventory
The
Asset Inventory
page double counts the number of Azure VMs in your deployment.
To address this issue, the 22.2.1 release includes a fix that will reduce the Azure VM count in half (drop of around 50%) in the Asset Inventory.
With this change, there is no impact on RQL or licensing.
API Ingestions
AWS CodeArtifact
aws-code-artifact-repository
Additional permissions required:
  • codeartifact:ListRepositories
  • codeartifact:DescribeRepository
  • codeartifact:GetRepositoryPermissionsPolicy
  • codeartifact:ListTagsForResource
AWS CodeArtifact
aws-code-artifact-domain
Additional permissions required:
  • codeartifact:ListDomains
  • codeartifact:DescribeDomain
  • codeartifact:GetDomainPermissionsPolicy
  • codeartifact:ListTagsForResource
Azure Traffic Manager
azure-traffic-manager-profile
Additional permission required:
Microsoft.Network/trafficManagerProfiles/read
Azure Quantum
azure-quantum-workspace
Additional permission required:
Microsoft.Quantum/Workspaces/Read
Google Identity Aware Proxy
gcloud-identity-aware-proxy-client
Additional permissions required:
  • clientauthconfig.brands.list
  • clientauthconfig.clients.listWithSecrets
OCI Networking
oci-networking-routetable
The permission required is:
inspect subnets
OCI Networking
oci-networking-internetgateway
The permission required is:
INTERNET_GATEWAY_READ
OCI Networking
oci-networking-drgattachment
The permission required is:
DRG_ATTACHMENT_READ
OCI Networking
oci-networking-drg
The permission required is:
DRG_READ
OCI Networking
oci-networking-localpeeringgateway
The permission required is:
LOCAL_PEERING_GATEWAY_READ
OCI Networking
oci-networking-natgateway
The permission required is:
NAT_GATEWAY_READ
OCI Networking
oci-networking-servicegateway
The permission required is:
SERVICE_GATEWAY_READ
OCI Networking
oci-networking-dns-zone
The permission required is:
DNS_ZONE_INSPECT
Update
API Ingestion—SNS Subscription Attributes
The following API will no longer be ingested due to a high number of alerts generated:
aws-sns-get-subscription-attributes
Impact—
Alerts will be resolved as Policy_Updated.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
Azure MySQL Database Server using insecure TLS version
Identifies Azure MySQL Database Servers which are using the insecure TLS version. As a best practice, use the newer TLS version as the minimum TLS version.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-server' AND json.rule = properties.sslEnforcement equals Enabled and properties.minimalTlsVersion does not equal TLS1_2
Azure Storage Account using insecure TLS version
Identifies Azure Storage Accounts which are using the insecure TLS version. As a best practice, use the newer TLS version as the minimum TLS version for Azure Storage Accounts.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = properties.supportsHttpsTrafficOnly is true and properties.minimumTlsVersion does not equal TLS1_2
GCP VM instance OS login overrides Project metadata OS login configuration
Identifies GCP VM instances where the OS Login configuration is overriding the project OS Login configuration. Enabling OS Login ensures that the SSH keys used to connect to instances are mapped with IAM users. Revoking access to an IAM user will revoke all the SSH keys associated with that user—it facilitates centralized and automated SSH key pair management which is useful in handling cases like a response to compromised SSH key pairs.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-project-info' AND json.rule = commonInstanceMetadata.items[?any(key contains "enable-oslogin" and (value contains "Yes" or value contains "Y" or value contains "True" or value contains "true" or value contains "TRUE" or value contains "1"))] exists as X; config from cloud.resource where api.name = 'gcloud-compute-instances-list' AND json.rule = (metadata.items[?any(key exists and key contains "enable-oslogin" and (value contains "False" or value contains "N" or value contains "No" or value contains "false" or value contains "FALSE" or value contains "0"))] exists and name does not start with "gke-" and status equals RUNNING) as Y;filter'$.Y.zone contains $.X.name';show Y;
New Anomaly Policies
There are 16 new UEBA anomaly policies to detect user activity from the TOR anonymity network. TOR is often used by hackers to hide their identity so that their suspicious operations like creating copies of VM images won’t be traced back to them. Each policy corresponds to one of the different service groups available in AWS, Azure, and GCP—for example—analytics, containers, compute, security, storage, and web. All the policies are classified as high severity and identify defense evasion and impact attack tactics listed in the MITRE ATT&CK framework. The policies are disabled by default, but customers can manually enable them according to their security needs and the cloud services used in their environments. Here’s the list of UEBA policies:
  • Suspicious activities in Security services
  • Suspicious activities in Application Integration services
  • Suspicious activities in Networking services
  • Suspicious activities in Analytics services
  • Suspicious activities in Monitoring / Management services
  • Suspicious activities in Database services
  • Suspicious activities in Compute services
  • Suspicious activities in Storage services
  • Suspicious activities in AI / ML services
  • Suspicious activities in Containers services
  • Suspicious activities in Migration services
  • Suspicious activities in IoT services
  • Suspicious activities in Dev Tools services
  • Suspicious activities in Media services
  • Suspicious login activity
  • Suspicious activities in Web services
Reduction of Alerts for Anomaly Policies
The following anomaly policies have a reduction from high to medium:
  • Account hijacking attempts
  • Excessive login failures
  • Port scan activity (Internal)
  • Port sweep activity (Internal)
  • Spambot activity
  • Unusual protocol activity (External)
  • Unusual protocol activity (Internal)
  • Unusual server port activity (External)
  • Unusual server port activity (Internal)
  • Unusual user activity
The following anomaly policies have a reduction from high to low:
  • Port scan activity (External)
  • Port sweep activity (External)
New CNS Policies
AWS Redshift managed ENI reachable from any untrust internet source
Identifies Network interfaces attached to the Redshift cluster that are exposed to inbound traffic from any untrusted Internet source. Redshift clusters exposed to the Internet are prone to external security threats. As a best practice, restrict network interfaces that are attached to the Redshift cluster to known hosts or services only.
AWS RDS managed ENI reachable from any untrust internet source
Identifies Network interfaces attached to RDS instances that are exposed to inbound traffic from any untrusted Internet source. RDS instances exposed to the Internet are prone to external security threats. As a best practice, restrict network interfaces that are attached to the RDS instance to known hosts or services only.
AWS EC2 instance allows outbound unrestricted access (0.0.0.0/0) to the internet
Identifies EC2 instances that allow unrestricted outbound traffic to the Internet. As a best practice, restrict outbound traffic and limit the access to known hosts or services.
AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port
Identifies AWS EC2 instances that are reachable from the Internet with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port. EC2 instances with unrestricted access to the Internet enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.
Delete AWS Security Group Related Policies
Changes–
The following
config
policies are deleted because Cloud Network Analyzer provides you alerts for resources which are truly exposed to the Internet. You can create custom policies to alert on specific ports:
  • AWS Security Group overly permissive to all traffic
  • AWS Security Group allows all traffic on SMTP port (25)
  • AWS Security Group allows all traffic on ports which are not commonly used
  • AWS Network ACLs with Outbound rule to allow All Traffic
  • AWS Network ACLs with Inbound rule to allow All Traffic
  • AWS Security Group allows all traffic on ICMP (Ping) protocol
  • AWS Security Group Inbound rule overly permissive to all traffic on all protocols (-1)
  • AWS EC2 instance associated with a public IP subnet
  • AWS Security Group allows all traffic on CIFS port (445)
  • AWS Security Group allows all traffic on MYSQL port (4333)
  • AWS Security Group allows all traffic on MYSQL port (3306)
  • AWS Security Group allows all traffic on DNS port (53)
  • AWS Security Group allows all traffic on PostgreSQL port (5432)
  • AWS Security Group allows all traffic on NetBIOS port (138)
  • AWS Security Group allows all traffic on Windows RPC port (135)
  • AWS Security Group allows all traffic on SQL Server port (1433)
  • AWS Security Group allows all traffic on VNC Server port (5900)
  • AWS Security Group allows all traffic on SQL Server port (1434)
  • AWS Security Group allows all traffic on VNC Listener port (5500)
  • AWS Security Group allows all traffic on Telnet port (23)
  • AWS Security Group allows all traffic on FTP-Data port (20)
  • AWS Security Group allows all traffic on FTP port (21)
  • AWS Security Group allows all traffic on NetBIOS port (137)
  • AWS EC2 instances with Public IP and associated with Security Groups have Internet Access
  • AWS Network ACLs allow ingress traffic to server administration ports
  • AWS Network ACLs with Inbound rule to allow All ICMP IPv4
  • AWS Network ACLs with Inbound rule to allow All ICMP IPv6
  • AWS Network ACLs with Outbound rule to allow All ICMP IPv4
  • AWS Network ACLs with Outbound rule to allow All ICMP IPv6
  • AWS Redshift clusters should not be publicly accessible
Impact–
Previously generated alerts will be resolved as Policy_Deleted. The compliance reports for the following are impacted: APRA (CPS 234) Information Security, AWS Foundational Security Best Practices standard, CIS Amazon Web Services Foundations Benchmark v 1.4.0, Cybersecurity Maturity Model Certification (CMMC) v.1.02, Cloud Security Alliance Cloud Controls Matrix (CCM) Version 4.0.1, HITRUST v.9.4.2, ISO/IEC 27002:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, Brazilian Data Protection Law (LGPD), MAS TRM 2021, MLPS 2.0, MPAA Content Protection Best Practices, NIST SP 800-171 Revision 2, NIST SP 800-172, NIST 800-53 Rev4, NIST 800-53 Rev 5, NIST CSF, New Zealand Information Security Manual (NZISM v3.4), PCI DSS v3.2.1, Risk Management in Technology (RMiT), CCPA 2018, CSA CCM v3.0.1, GDPR, HITRUST CSF v9.3, MITRE ATT
Delete Policies to Reduce Alert Fatigue
The following policies are deleted to reduce the number of alerts you receive:
  • AWS EBS snapshot is not encrypted
  • AWS SNS topic with server-side encryption disabled
  • AWS CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
  • AWS entities with risky permissions
  • AWS SNS topic not configured with secure data transport policy
  • AWS CloudFormation stack configured without SNS topic
  • GCP Storage bucket encrypted using default KMS key instead of a customer-managed key
  • AWS Lambda functions with tracing not enabled
  • AWS CloudWatch Log groups not configured with definite retention days
  • AWS Lambda Function is not assigned to access within VPC
  • AWS Lambda Environment Variables not encrypted at-rest using CMK
  • AWS RDS DB snapshot is encrypted using default KMS key instead of CMK
  • GCP Firewall rule logging disabled
  • AWS SQS server side encryption not enabled
  • GCP Pub/Sub topic is not encrypted using a customer-managed encryption key
  • GCP GCE Disk snapshot not encrypted with CSEK
  • AWS EBS Volume is unattached
  • AWS EC2 instance detailed monitoring disabled
  • Azure Virtual Machine is not assigned to an availability set
  • AWS Certificate Manager (ACM) has unused certificates
  • GCP storage bucket is not configured with default Event-Based Hold
  • AWS CloudFront Distributions with Field-Level Encryption not enabled
  • AWS Elastic Load Balancer v2 (ELBv2) with deletion protection feature disabled
  • GCP compute engine image not encrypted using customer-managed key
  • AWS ECS/Fargate task definition execution IAM Role not found
  • Azure Virtual Machine Boot Diagnostics Disabled
  • AWS Elastic Load Balancer (Classic) with connection draining disabled
  • GCP VM instances without metadata, zone or label information
  • AWS KMS Customer Managed Key not in use
  • AWS ECS fargate task definition logging is disabled
  • AWS SNS topic encrypted using default KMS key instead of CMK
Impact–
All open alerts will be resolved as Policy_Deleted. In addition, the reports for the following standards are impacted: APRA (CPS 234) Information Security, AWS Foundational Security Best Practices standard, Cybersecurity Maturity Model Certification (CMMC) v.1.02, Cloud Security Alliance Cloud Controls Matrix (CCM) Version 4.0.1, HITRUST v.9.4.2, ISO/IEC 27002:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, Brazilian Data Protection Law (LGPD), MAS TRM 2021, MLPS 2.0, NIST SP 800-171 Revision 2, NIST SP 800-172, NIST 800-53 Rev4, NIST 800-53 Rev 5, NIST CSF, New Zealand Information Security Manual (NZISM v3.4), PCI DSS v3.2.1, Risk Management in Technology (RMiT), CCPA 2018, CSA CCM v3.0.1, HITRUST CSF v9.3, MITRE ATT&CK version 6.3, MITRE ATT&CK v8.2, PIPEDA, SOC 2, and MITRE ATT&CK v10.0.
Policy Deletion
GCP sink not configured to export all log entries
This policy is deleted as GCP started supporting two cloud logging buckets named _Default and _Required. These two buckets can’t be modified and when combined, store all the logs specific to a GCP project.
Impact—
Previously generated alerts will be resolved as Policy_Deleted.
Policy Updates—Metadata
Reduce Severity of CIS Policies
Changes—
Cloud Network Analyzer replaces the following
config
policies to alert for resources that are truly exposed to the Internet; the severity of these policies are changed from high to low:
  • AWS Security Group allows all traffic on RDP port (3389)
  • AWS Security Group allows all traffic on SSH port (22)
  • AWS Default Security Group does not restrict all traffic
Impact–
No impact on existing alerts.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Update
Azure CIS v1.4.0
The
Azure Storage Account using insecure TLS version
policy has been mapped to Azure CIS v1.4.0, section 3.12.
Impact—
No impact on existing alerts. The compliance score may be impacted because a new mapping has been added.
Change
Anomaly Policies No Longer Mapped to Compliance Standards
Anomaly policies are no longer mapped to any compliance standard supported on Prisma Cloud, except for the MITRE ATT&CK framework.

REST API Updates

CHANGE
DESCRIPTION
CSPM API for Adoption Advisor
A new Adoption Advisor API enables you to explore data about the security capabilities you’ve adopted. It also uncovers unused capabilities that might optimize your security hygiene.

Recommended For You