Prisma™ Cloud Release Notes
    : Features Introduced in February 2022
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Features Introduced in 2022
    7. Features Introduced in February 2022
    Download PDF

    Prisma™ Cloud Release Notes

    Features Introduced in February 2022

    Table of Contents

    Features Introduced in February 2022

    Learn what’s new on Prisma™ Cloud in February 2022.

    New Features Introduced in 22.2.2

    New Features

    FEATURE
    DESCRIPTION
    GA
    Knowledge Center
    Knowledge Center
     provides in-product and in-context guidance based on your current workflow without taking you away from the Prisma Cloud app.
    Access the Knowledge Center on the lower left navigation to see content relevant to what you are trying to accomplish at that particular moment. The topics listed under the Knowledge Center get auto-refreshed when you move to a different page.
    Improved Alert Rule Workflow
    The improved and intuitive Add Alert Rule modal with a faster loading UI provides a better user experience. You can select the optional Alert Notifications, Auto-Remediation, or Auto-Actions ^Limited GA^ settings up front while creating an alert rule.
    The Alert Rules also includes a summary page where you can review your selection.
    API Ingestions
    AWS Storage Gateway
    aws-storage-gateway-fileshare
    Additional permissions required:
    • storagegateway:ListFileShares
    • storagegateway:DescribeNFSFileShares
    • storagegateway:DescribeSMBFileShares
    AWS Storage Gateway
    aws-storage-gateway-information
    Additional permissions required:
    • storagegateway:ListGateways
    • storagegateway:DescribeGatewayInformation
    • storagegateway:DescribeSMBSettings
    Amazon Lightsail
    aws-lightsail-instance
    Additional permission required:
    lightsail:GetInstances
    On Prisma Cloud, the keyonlytags tag value is only displayed for the resources with key only tags that are present in AWS Lightsail instances.
    Azure Log Analytics
    azure-log-analytics-workspace
    Additional permission required:
    Microsoft.OperationalInsights/workspaces/read
    Update
    AWS GuardDuty Detector API
    The
    aws-guardduty-detector
     API is updated to include two new fields,
    accountId
     and
    relationshipStatus
     in the JSON as shown below:
    "master": {
  "accountId": "375187248419",
  "relationshipStatus": "Enabled"
}
    Update
    Permission in the AWS CFT
    The AWS CFT for
    Monitor
     now includes additional permissions for EKS Auditing for onboarded cloud accounts. The AWS CFT for
    Monitor and Protect
     includes additional permissions for Agentless scanning on EC2 for onboarded cloud accounts.
    Removal of Support for Deprecated RQL Query Format
    The
    config where
     ,
    event where
     , and
    network where
     query formats are no longer supported.
    • Replace
      config where <rest of the query>
       with
      config from cloud.resource where <rest of the query>
    • Replace
      event where <rest of the query>
       with
      event from cloud.audit_logs where <rest of the query>
    • Replace
      network where <rest of the query>
       with
      network from vpc.flow_records where <rest of the query>

    New Policies and Policy Updates

    See the look ahead updates for planned features and policy updates for 22.3.1.
    POLICY UPDATES
    DESCRIPTION
    Policy Updates
    Improved Anomalous Compute Provisioning Policy
     For improving the detection capability and reducing the false negative rate of the
    Anomalous Compute Provisioning
     policy, it has been moved from subject-based modeling to cloud account-based modeling for volumetric detection. The activity from all subjects, for example, user accounts belonging to the same account are now part of the model. Those with no or low activity during the training period qualify for anomaly detection, provided there are sufficient events at the account level.

    REST API Updates

    CHANGE
    DESCRIPTION
    New Policy API Endpoint to Validate a Policy Rule
    The following new Policy API endpoint is available. It enables you to validate a policy rule without creating a policy:
    Host Findings Count in Network Anomaly Alerts
    The response object of the following API request no longer includes the host findings count:
    • GET /alert/{id}
    Specifically:
    • For a network anomaly alert where the source host is the reported vulnerability, the response object no longer includes attribute
      metadata.anomalyDetail.srcHost.hostFindingCount
      .
    • For a network anomaly alert where the target host is the reported vulnerability:** The response object no longer includes attribute
      targetHostFinding
      .
      • Response object attribute
        metadata.anomalyDetail.features[
        .targetHost.details[].hostFindingCount] is null.
    You can still access host findings data through:
    • GET /resource/external_finding

    New Features Introduced in 22.2.1

    New Features

    FEATURE
    DESCRIPTION
    Network Exposure of Cloud Resources
    Prisma Cloud Network Security helps enhance your network security posture within public cloud environments. Its Network Analyzer engine automatically calculates net effective reachability of your cloud resources such as EC2, RDS, and Redshift ENIs. In addition, it helps detect unrestricted network access from the Internet or external network domains.
    Using the RQL query 
    config from network where
    on the
    Investigate
     page, you can understand the reachability of your cloud assets and also validate if someone exploited the overly permissive network access.
    Network exposure queries are currently supported only on AWS.
    Network exposure queries are currently not available in Government and China regions.
    GA
    Adoption Advisor
    Tracking and measuring your adoption of new features and existing capabilities on Prisma Cloud just got easier!
    The Adoption Advisor is generally available to all and gives visibility into your adoption journey, identifies your unexplored features, helps you make the most of your investment, and provides guidance on where to take action.
    ServiceNow Test Incident Improvement
    The Prisma Cloud integration with ServiceNow has been improved to generate only one test incident for the
    Open
    ,
    Dismissed
    , or
    Resolved
     alert notification states configured within a notification template.
    With this change, when you test a new integration, only a single incident is sent to your ServiceNow instance as it transitions through the different alert states.
    This change is only applicable to the Incident and Security types in ServiceNow.
    Change in Existing Behavior
    VM Count on Asset Inventory
    The
    Asset Inventory
     page double counts the number of Azure VMs in your deployment.
    To address this issue, the 22.2.1 release includes a fix that will reduce the Azure VM count in half (drop of around 50%) in the Asset Inventory.
    With this change, there is no impact on RQL or licensing.
    API Ingestions
    AWS CodeArtifact
    aws-code-artifact-repository
    Additional permissions required:
    • codeartifact:ListRepositories
    • codeartifact:DescribeRepository
    • codeartifact:GetRepositoryPermissionsPolicy
    • codeartifact:ListTagsForResource
    AWS CodeArtifact
    aws-code-artifact-domain
    Additional permissions required:
    • codeartifact:ListDomains
    • codeartifact:DescribeDomain
    • codeartifact:GetDomainPermissionsPolicy
    • codeartifact:ListTagsForResource
    Azure Traffic Manager
    azure-traffic-manager-profile
    Additional permission required:
    Microsoft.Network/trafficManagerProfiles/read
    Azure Quantum
    azure-quantum-workspace
    Additional permission required:
    Microsoft.Quantum/Workspaces/Read
    Google Identity Aware Proxy
    gcloud-identity-aware-proxy-client
    Additional permissions required:
    • clientauthconfig.brands.list
    • clientauthconfig.clients.listWithSecrets
    OCI Networking
    oci-networking-routetable
    The permission required is:
    inspect subnets
    OCI Networking
    oci-networking-internetgateway
    The permission required is:
    INTERNET_GATEWAY_READ
    OCI Networking
    oci-networking-drgattachment
    The permission required is:
    DRG_ATTACHMENT_READ
    OCI Networking
    oci-networking-drg
    The permission required is:
    DRG_READ
    OCI Networking
    oci-networking-localpeeringgateway
    The permission required is:
    LOCAL_PEERING_GATEWAY_READ
    OCI Networking
    oci-networking-natgateway
    The permission required is:
    NAT_GATEWAY_READ
    OCI Networking
    oci-networking-servicegateway
    The permission required is:
    SERVICE_GATEWAY_READ
    OCI Networking
    oci-networking-dns-zone
    The permission required is:
    DNS_ZONE_INSPECT
    Update
    API Ingestion—SNS Subscription Attributes
    The following API will no longer be ingested due to a high number of alerts generated:
    aws-sns-get-subscription-attributes
    Impact—
     Alerts will be resolved as Policy_Updated.

    New Policies and Policy Updates

    POLICY UPDATES
    DESCRIPTION
    New Policies
    Azure MySQL Database Server using insecure TLS version
    Identifies Azure MySQL Database Servers which are using the insecure TLS version. As a best practice, use the newer TLS version as the minimum TLS version.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-server' AND json.rule = properties.sslEnforcement equals Enabled and properties.minimalTlsVersion does not equal TLS1_2
    Azure Storage Account using insecure TLS version
    Identifies Azure Storage Accounts which are using the insecure TLS version. As a best practice, use the newer TLS version as the minimum TLS version for Azure Storage Accounts.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = properties.supportsHttpsTrafficOnly is true and properties.minimumTlsVersion does not equal TLS1_2
    GCP VM instance OS login overrides Project metadata OS login configuration
    Identifies GCP VM instances where the OS Login configuration is overriding the project OS Login configuration. Enabling OS Login ensures that the SSH keys used to connect to instances are mapped with IAM users. Revoking access to an IAM user will revoke all the SSH keys associated with that user—it facilitates centralized and automated SSH key pair management which is useful in handling cases like a response to compromised SSH key pairs.
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-project-info' AND json.rule = commonInstanceMetadata.items[?any(key contains "enable-oslogin" and (value contains "Yes" or value contains "Y" or value contains "True" or value contains "true" or value contains "TRUE" or value contains "1"))] exists as X; config from cloud.resource where api.name = 'gcloud-compute-instances-list' AND json.rule = (metadata.items[?any(key exists and key contains "enable-oslogin" and (value contains "False" or value contains "N" or value contains "No" or value contains "false" or value contains "FALSE" or value contains "0"))] exists and name does not start with "gke-" and status equals RUNNING) as Y;filter'$.Y.zone contains $.X.name';show Y;
    New Anomaly Policies
    There are 16 new UEBA anomaly policies to detect user activity from the TOR anonymity network. TOR is often used by hackers to hide their identity so that their suspicious operations like creating copies of VM images won’t be traced back to them. Each policy corresponds to one of the different service groups available in AWS, Azure, and GCP—for example—analytics, containers, compute, security, storage, and web. All the policies are classified as high severity and identify defense evasion and impact attack tactics listed in the MITRE ATT&CK framework. The policies are disabled by default, but customers can manually enable them according to their security needs and the cloud services used in their environments. Here’s the list of UEBA policies:
    • Suspicious activities in Security services
    • Suspicious activities in Application Integration services
    • Suspicious activities in Networking services
    • Suspicious activities in Analytics services
    • Suspicious activities in Monitoring / Management services
    • Suspicious activities in Database services
    • Suspicious activities in Compute services
    • Suspicious activities in Storage services
    • Suspicious activities in AI / ML services
    • Suspicious activities in Containers services
    • Suspicious activities in Migration services
    • Suspicious activities in IoT services
    • Suspicious activities in Dev Tools services
    • Suspicious activities in Media services
    • Suspicious login activity
    • Suspicious activities in Web services
    Reduction of Alerts for Anomaly Policies
    The following anomaly policies have a reduction from high to medium:
    • Account hijacking attempts
    • Excessive login failures
    • Port scan activity (Internal)
    • Port sweep activity (Internal)
    • Spambot activity
    • Unusual protocol activity (External)
    • Unusual protocol activity (Internal)
    • Unusual server port activity (External)
    • Unusual server port activity (Internal)
    • Unusual user activity
    The following anomaly policies have a reduction from high to low:
    • Port scan activity (External)
    • Port sweep activity (External)
    New CNS Policies
    AWS Redshift managed ENI reachable from any untrust internet source
     Identifies Network interfaces attached to the Redshift cluster that are exposed to inbound traffic from any untrusted Internet source. Redshift clusters exposed to the Internet are prone to external security threats. As a best practice, restrict network interfaces that are attached to the Redshift cluster to known hosts or services only.
    AWS RDS managed ENI reachable from any untrust internet source
     Identifies Network interfaces attached to RDS instances that are exposed to inbound traffic from any untrusted Internet source. RDS instances exposed to the Internet are prone to external security threats. As a best practice, restrict network interfaces that are attached to the RDS instance to known hosts or services only.
    AWS EC2 instance allows outbound unrestricted access (0.0.0.0/0) to the internet
     Identifies EC2 instances that allow unrestricted outbound traffic to the Internet. As a best practice, restrict outbound traffic and limit the access to known hosts or services.
    AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port
     Identifies AWS EC2 instances that are reachable from the Internet with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port. EC2 instances with unrestricted access to the Internet enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.
    Delete AWS Security Group Related Policies
    Changes–
     The following
    config
     policies are deleted because Cloud Network Analyzer provides you alerts for resources which are truly exposed to the Internet. You can create custom policies to alert on specific ports:
    • AWS Security Group overly permissive to all traffic
    • AWS Security Group allows all traffic on SMTP port (25)
    • AWS Security Group allows all traffic on ports which are not commonly used
    • AWS Network ACLs with Outbound rule to allow All Traffic
    • AWS Network ACLs with Inbound rule to allow All Traffic
    • AWS Security Group allows all traffic on ICMP (Ping) protocol
    • AWS Security Group Inbound rule overly permissive to all traffic on all protocols (-1)
    • AWS EC2 instance associated with a public IP subnet
    • AWS Security Group allows all traffic on CIFS port (445)
    • AWS Security Group allows all traffic on MYSQL port (4333)
    • AWS Security Group allows all traffic on MYSQL port (3306)
    • AWS Security Group allows all traffic on DNS port (53)
    • AWS Security Group allows all traffic on PostgreSQL port (5432)
    • AWS Security Group allows all traffic on NetBIOS port (138)
    • AWS Security Group allows all traffic on Windows RPC port (135)
    • AWS Security Group allows all traffic on SQL Server port (1433)
    • AWS Security Group allows all traffic on VNC Server port (5900)
    • AWS Security Group allows all traffic on SQL Server port (1434)
    • AWS Security Group allows all traffic on VNC Listener port (5500)
    • AWS Security Group allows all traffic on Telnet port (23)
    • AWS Security Group allows all traffic on FTP-Data port (20)
    • AWS Security Group allows all traffic on FTP port (21)
    • AWS Security Group allows all traffic on NetBIOS port (137)
    • AWS EC2 instances with Public IP and associated with Security Groups have Internet Access
    • AWS Network ACLs allow ingress traffic to server administration ports
    • AWS Network ACLs with Inbound rule to allow All ICMP IPv4
    • AWS Network ACLs with Inbound rule to allow All ICMP IPv6
    • AWS Network ACLs with Outbound rule to allow All ICMP IPv4
    • AWS Network ACLs with Outbound rule to allow All ICMP IPv6
    • AWS Redshift clusters should not be publicly accessible
    Impact–
     Previously generated alerts will be resolved as Policy_Deleted. The compliance reports for the following are impacted: APRA (CPS 234) Information Security, AWS Foundational Security Best Practices standard, CIS Amazon Web Services Foundations Benchmark v 1.4.0, Cybersecurity Maturity Model Certification (CMMC) v.1.02, Cloud Security Alliance Cloud Controls Matrix (CCM) Version 4.0.1, HITRUST v.9.4.2, ISO/IEC 27002:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, Brazilian Data Protection Law (LGPD), MAS TRM 2021, MLPS 2.0, MPAA Content Protection Best Practices, NIST SP 800-171 Revision 2, NIST SP 800-172, NIST 800-53 Rev4, NIST 800-53 Rev 5, NIST CSF, New Zealand Information Security Manual (NZISM v3.4), PCI DSS v3.2.1, Risk Management in Technology (RMiT), CCPA 2018, CSA CCM v3.0.1, GDPR, HITRUST CSF v9.3, MITRE ATT
    Delete Policies to Reduce Alert Fatigue
    The following policies are deleted to reduce the number of alerts you receive:
    • AWS EBS snapshot is not encrypted
    • AWS SNS topic with server-side encryption disabled
    • AWS CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
    • AWS entities with risky permissions
    • AWS SNS topic not configured with secure data transport policy
    • AWS CloudFormation stack configured without SNS topic
    • GCP Storage bucket encrypted using default KMS key instead of a customer-managed key
    • AWS Lambda functions with tracing not enabled
    • AWS CloudWatch Log groups not configured with definite retention days
    • AWS Lambda Function is not assigned to access within VPC
    • AWS Lambda Environment Variables not encrypted at-rest using CMK
    • AWS RDS DB snapshot is encrypted using default KMS key instead of CMK
    • GCP Firewall rule logging disabled
    • AWS SQS server side encryption not enabled
    • GCP Pub/Sub topic is not encrypted using a customer-managed encryption key
    • GCP GCE Disk snapshot not encrypted with CSEK
    • AWS EBS Volume is unattached
    • AWS EC2 instance detailed monitoring disabled
    • Azure Virtual Machine is not assigned to an availability set
    • AWS Certificate Manager (ACM) has unused certificates
    • GCP storage bucket is not configured with default Event-Based Hold
    • AWS CloudFront Distributions with Field-Level Encryption not enabled
    • AWS Elastic Load Balancer v2 (ELBv2) with deletion protection feature disabled
    • GCP compute engine image not encrypted using customer-managed key
    • AWS ECS/Fargate task definition execution IAM Role not found
    • Azure Virtual Machine Boot Diagnostics Disabled
    • AWS Elastic Load Balancer (Classic) with connection draining disabled
    • GCP VM instances without metadata, zone or label information
    • AWS KMS Customer Managed Key not in use
    • AWS ECS fargate task definition logging is disabled
    • AWS SNS topic encrypted using default KMS key instead of CMK
    Impact–
     All open alerts will be resolved as Policy_Deleted. In addition, the reports for the following standards are impacted: APRA (CPS 234) Information Security, AWS Foundational Security Best Practices standard, Cybersecurity Maturity Model Certification (CMMC) v.1.02, Cloud Security Alliance Cloud Controls Matrix (CCM) Version 4.0.1, HITRUST v.9.4.2, ISO/IEC 27002:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, Brazilian Data Protection Law (LGPD), MAS TRM 2021, MLPS 2.0, NIST SP 800-171 Revision 2, NIST SP 800-172, NIST 800-53 Rev4, NIST 800-53 Rev 5, NIST CSF, New Zealand Information Security Manual (NZISM v3.4), PCI DSS v3.2.1, Risk Management in Technology (RMiT), CCPA 2018, CSA CCM v3.0.1, HITRUST CSF v9.3, MITRE ATT&CK version 6.3, MITRE ATT&CK v8.2, PIPEDA, SOC 2, and MITRE ATT&CK v10.0.
    Policy Deletion
    GCP sink not configured to export all log entries
     This policy is deleted as GCP started supporting two cloud logging buckets named _Default and _Required. These two buckets can’t be modified and when combined, store all the logs specific to a GCP project.
    Impact—
     Previously generated alerts will be resolved as Policy_Deleted.
    Policy Updates—Metadata
    Reduce Severity of CIS Policies
    Changes—
     Cloud Network Analyzer replaces the following
    config
     policies to alert for resources that are truly exposed to the Internet; the severity of these policies are changed from high to low:
    • AWS Security Group allows all traffic on RDP port (3389)
    • AWS Security Group allows all traffic on SSH port (22)
    • AWS Default Security Group does not restrict all traffic
    Impact–
     No impact on existing alerts.

    New Compliance Benchmarks and Updates

    COMPLIANCE BENCHMARK
    DESCRIPTION
    Update
    Azure CIS v1.4.0
    The
    Azure Storage Account using insecure TLS version
     policy has been mapped to Azure CIS v1.4.0, section 3.12.
    Impact—
     No impact on existing alerts. The compliance score may be impacted because a new mapping has been added.
    Change
    Anomaly Policies No Longer Mapped to Compliance Standards
    Anomaly policies are no longer mapped to any compliance standard supported on Prisma Cloud, except for the MITRE ATT&CK framework.

    REST API Updates

    CHANGE
    DESCRIPTION
    CSPM API for Adoption Advisor
    A new Adoption Advisor API enables you to explore data about the security capabilities you’ve adopted. It also uncovers unused capabilities that might optimize your security hygiene.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.