Features Introduced in June 2022
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
-
- Features Introduced in September 2023
- Features Introduced in August 2023
- Features Introduced in July 2023
- Features Introduced in June 2023
- Features Introduced in May 2023
- Features Introduced in April 2023
- Features Introduced in March 2023
- Features Introduced in February 2023
- Features Introduced in January 2023
-
- Features Introduced in December 2022
- Features Introduced in November 2022
- Features Introduced in October 2022
- Features Introduced in September 2022
- Features Introduced in August 2022
- Features Introduced in July 2022
- Features Introduced in June 2022
- Features Introduced in May 2022
- Features Introduced in April 2022
- Features Introduced in March 2022
- Features Introduced in February 2022
- Features Introduced in January 2022
- Limited GA Features on Prisma Cloud
- Look Ahead—Planned Updates on Prisma Cloud
- Prisma Cloud Known Issues
-
-
- Features Introduced in September 2023
- Features Introduced in August 2023
- Features Introduced in July 2023
- Features Introduced in June 2023
- Features Introduced in May 2023
- Features Introduced in April 2023
- Features Introduced in March 2023
- Features Introduced in February 2023
- Features Introduced in January 2023
- Features Introduced in December 2022
- Features Introduced in November 2022
- Features Introduced in September 2022
- Features Introduced in July 2022
- Features Introduced in June 2022
- Features Introduced in March 2022
- Features Introduced in February 2022
- Look Ahead — Planned Updates on Prisma Cloud Compute
- Prisma Cloud Compute Known Issues
-
-
- Features Introduced in September 2023
- Features Introduced in August 2023
- Features Introduced in July 2023
- Features Introduced in June 2023
- Features Introduced in May 2023
- Features Introduced in April 2023
- Features Introduced in March 2023
- Features Introduced in February 2023
- Features Introduced in January 2023
-
- Features Introduced in December 2022
- Features Introduced in September 2022
- Features Introduced in August 2022
- Features Introduced in July 2022
- Features Introduced in June 2022
- Features Introduced in May 2022
- Features Introduced in April 2022
- Features Introduced in March 2022
- Features Introduced in January 2022
- Look Ahead—Planned Updates on Prisma Cloud Application Security
-
Features Introduced in June 2022
Learn what’s new on Prisma™ Cloud in June 2022.
New Features Introduced in 22.6.3
New Features
Feature | Description |
API Ingestions | Amazon Connect aws-connect-instance Additional permissions required:
|
Amazon EventBridge aws-events-rule Additional permissions required:
The Security Audit role includes these permissions. | |
Amazon Pinpoint aws-pinpoint-email-channel Additional permissions required:
| |
Amazon Pinpoint aws-pinpoint-sms-channel Additional permissions required:
| |
Azure Synapse Analytics azure-synapse-privatelinkhub-privatelinkresource Additional permission required:
The Reader role includes this permission. | |
Azure Synapse Analytics azure-synapse-privatelinkhub Additional permission required:
The Reader role includes this permission. | |
Azure Synapse Analytics azure-synapse-privatelinkresource Additional permissions required:
The Reader role includes these permissions. | |
Google Cloud IAM gcloud-iam-organization-deny-policy Additional permissions required:
The Viewer role includes these permissions. | |
Google Cloud IAM gcloud-iam-project-deny-policy Additional permissions required:
The Viewer role includes these permissions. | |
Google Security Command Center gcloud-security-command-center-organization-setting Additional permission required:
The Viewer role includes this permission. | |
Google Security Command Center gcloud-security-command-center-organization-notification-config Additional permission required:
The Viewer role includes this permission. | |
Google Security Command Center gcloud-security-command-center-organization-mute-config Additional permission required:
The Viewer role includes this permission. | |
OCI Web Application Firewall oci-waf-networkaddresslist Additional permissions required:
You must add the permissions manually. | |
OCI Web Application Firewall oci-waf-waaspolicy Additional permissions required:
You must add the permissions manually. | |
Update Google Compute Engine API | Google Compute Engine gcloud-ssl-certificate This API will be updated to remove the following fields in the resource JSON:
|
Decommission of redlock.io Domain This change was first announced in the look ahead that was published with the 22.5.2 release. | The announcement about replacing the redlock.io domain name with prismacloud.io was first sent in July, 2019. Due to this, the redirect from redlock.io to prismacloud.io is removed and no longer supported. The redlock.io domain is decommissioned. |
New Policies and Policy Updates
See the look ahead updates for planned features and policy updates for 22.7.1
Policy Updates | Description |
New Policy | AWS Lambda execution role having overly permissive inline policy Identifies AWS Lambda Function execution role having overly permissive inline policy embedded. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access.
|
AWS IAM policy attached to AWS Lambda execution role is overly permissive Identifies Lambda Functions execution role having overly permissive IAM policy attached to it. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access.
| |
Azure Microsoft Defender for Cloud set to Off for DNS Identifies Azure Microsoft Defender for Cloud which has defender setting for DNS set to Off. Enabling Azure Defender provides advanced security capabilities like providing threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Defender for DNS monitors the queries and detects suspicious activities without the need for any additional agents on your resources. It is highly recommended to enable Azure Defender for DNS.
| |
AWS DocumentDB Cluster is not enabled with data encryption in transit Identifies Amazon DocumentDB Clusters for which data encryption in transit is disabled. Each DocumentDB Cluster is associated with a Cluster Parameter Group. It is highly recommended to implement in-transit encryption in order to protect data from unauthorized access as it travels through the network, between clients and the cluster.
| |
GCP Load Balancer SSL proxy permits SSL policies with weak cipher suites Identifies GCP SSL Load Balancers that permit SSL policies with weak cipher suites. GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites. To prevent usage of insecure features, SSL policies should use at least TLS 1.2 with the MODERN profile; or the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or a CUSTOM profile that does not support any of the following features:
| |
GCP Load Balancer HTTPS proxy permits SSL policies with weak cipher suites Identifies GCP HTTPS Load Balancers that permit SSL policies with weak cipher suites. GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites. To prevent usage of insecure features, SSL policies should use at least TLS 1.2 with the MODERN profile; or the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or a CUSTOM profile that does not support any of the following features:
| |
Policy Updates-Metadata | Azure Security Center system updates monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes.Current Name— Azure Security Center system updates monitoring is set to disabledUpdated Name— Azure Microsoft Defender for Cloud system updates monitoring is set to disabledUpdated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have system updates monitoring is set to disabled. It retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that’s configured for that virtual machine and recommends that the missing updates be applied. For Linux systems, the policy uses the distro-provided package management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines.Impact— No impact on alerts. |
Azure Security Center disk encryption monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes.Current Name— Azure Security Center disk encryption monitoring is set to disabledUpdated Name— Azure Microsoft Defender for Cloud disk encryption monitoring is set to disabledUpdated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have disk encryption monitoring set to disabled. Enabling disk encryption for virtual machines will secure the data by encrypting it. It is recommended to set disk encryption monitoring in Microsoft Defender for Cloud security policy.Impact— No impact on alerts. | |
Azure Security Center adaptive application controls monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes.Current Name— Azure Security Center adaptive application controls monitoring is set to disabledUpdated Name— Azure Microsoft Defender for Cloud adaptive application controls monitoring is set to disabledUpdated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have adaptive application controls monitoring set to disabled. Adaptive Application Controls will make sure that only certain applications can run on your VMs in Microsoft Azure. This will prevent any malicious, unwanted, or unsupported software on the VMs.Impact— No impact on alerts. | |
Azure Security Center endpoint protection monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes.Current Name— Azure Security Center endpoint protection monitoring is set to disabledUpdated Name— Azure Microsoft Defender for Cloud endpoint protection monitoring is set to disabledUpdated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have endpoint protection monitoring set to disabled. Enabling endpoint Protection will make sure that any issues or shortcomings in endpoint protection for all Microsoft Windows virtual machines are identified so that they can, in turn, be removed.Impact— No impact on alerts. | |
Azure Security Center security configurations monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes.Current Name— Azure Security Center security configurations monitoring is set to disabledUpdated Name— Azure Microsoft Defender for Cloud security configurations monitoring is set to disabledUpdated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have security configurations monitoring set to disabled. Security configurations will enable the daily analysis of operating system configurations. The rules for hardening the operating system like firewall rules, password and audit policies are reviewed. Recommendations are made for setting the right level of security controls.Impact— No impact on alerts. | |
Azure Security Center JIT network access monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes.Current Name— Azure Security Center JIT network access monitoring is set to disabledUpdated Name— Azure Microsoft Defender for Cloud JIT network access monitoring is set to disabledUpdated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have JIT network access monitoring set to disabled. Enabling JIT Network Access will enhance the protection of VMs by creating a Just in Time VM. The JIT VM with NSG rule will restrict the availability of access to the ports to connect to the VM for a pre-set time and only after checking the Role Based Access Control permissions of the user. This feature will control the brute force attacks on the VMs.Impact— No impact on alerts. | |
Policy Updates-RQL | Azure Microsoft Defender for Cloud email notification for subscription owner is not set Changes— The policy RQL has been updated to only look for subscriptions where Defender is enabled and then check for email setting.Current RQL—
Updated RQL—
Impact— Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'. |
Azure Security Center contact phone number not set Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes. The policy RQL has been updated to consider only defender enabled subscriptions.Current Name— Azure Security Center contact phone number not setUpdated Name— Azure Microsoft Defender for Cloud security contact phone number is not setUpdated Description— Identifies Subscriptions that are not set with security contact phone number for Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender). It is recommended to set security contact phone number to receive notifications when Microsoft Defender for Cloud detects compromised resources.Current RQL—
Updated RQL—
Impact— Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'. | |
GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower Changes— The policy is modified to make it compliant with the CIS requirement to exclude alerting for SSL policy with profile type 'RESTRICTED'.Current RQL—
Updated RQL—
Impact— Low. The alerts associated with the profile type RESTRICTED will be resolved as 'Policy_Updated'. |
REST API Updates
CHANGE | DESCRIPTION |
Removal of Update Access Key API Endpoint | The following endpoint has been removed: PUT /access_keys/{id} |
New Features Introduced in 22.6.2
New Features
Feature | Description |
Change in Existing Behavior Alert Count on Policy Violations This change was first announced in the look ahead that was published with the 22.5.2 release. | Earlier on Prisma Cloud, when an asset generated an alert for a policy violation, the alert was counted towards the most severe violation. For example, for an asset that had violations for low, medium, and high severity policies, the alert was only counted in the high category although it was also violating medium and low severity policies. In this method of counting alerts, when you view the total count of failed checks it adds up to the sum of all low, medium, and high severity failures. The above method of counting alerts is modified to display the total count of policy violations for each severity. So, using the same example, if an asset has violations for low, medium, and high severity policies, the alert will now be counted in each of the three categories. Therefore, when you view the total count of failed checks and compare it to the sum total of each category, the sum will be higher. This count is displayed on several places on the Prisma Cloud management console such as on the Compliance Overview Asset Inventory (Inventory > Assets), and Alerts Overview This change in how Prisma Cloud count assets that failed policy checks will not be updated for any compliance reports generated before your Prisma Cloud instance is upgraded to the current release. This means that the count displayed in the table on Compliance Reports Compliance Overview |
Skips API Ingestion when Cloud Billing on GCP is Disabled | When the Cloud Asset Inventory (CAI) service is enabled and if Cloud Billing is disabled for a project by default, Prisma Cloud skips the ingestion of GCP APIs. This is true when the project is onboarded as a standalone or a child project of an organization, but not for a master service account (MSA). Impact— If you do not enable CAI, Prisma Cloud will ingest all the GCP APIs even if Cloud Billing is disabled for a project. |
Change in Existing Behavior Resolution of Undeletes for Google Cloud Resources This change was announced in the look ahead that was published with the 22.6.1 release. | All the resources for gcloud-compute-networks-subnets-list and gcloud-compute-networks-list will be deleted once and then regenerated on the management console.Existing alerts corresponding to these resources will be resolved as Resource_Updated , and new alerts will be generated against policy violations.Impact— You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for gcloud-compute-networks-subnets-list and gcloud-compute-networks-list start ingesting data again. |
Prisma Cloud Data Security Download and Scan Files up to 100MB for Malware | The file size for malware scanning is now increased from 20MB to 100MB. The uncompressed file size must be less than 100MB. |
Prisma Cloud Data Security Support for Big Data File Types | Prisma Cloud supports the following file types for data profile and data patterns:
The size of the .avro, .ORC, or .parquet files must be less than 2.5GB. |
API Ingestions | Amazon Managed Workflows for Apache Airflow aws-mwaa-environment Additional permissions required:
|
AWS Systems Manager aws-ssm-association Additional permissions required:
The Security Audit role includes the permissions. | |
Azure Batch Account azure-batch-account Additional permission required: The Reader role includes the permission. | |
Azure Data Shares azure-data-shares-account Additional permission required: The Reader role includes the permission. | |
Azure Red Hat OpenShift azure-redhat-openshift-cluster Additional permission required: The Reader role includes the permission. | |
Google Cloud Run Revision gcloud-cloud-run-revisions-list No new permissions, the Project Viewer role includes the required permissions. | |
Google Data Catalog gcloud-data-catalog-taxonomy Additional permissions required:
The Viewer role includes the permissions. Multi-region resources are not supported for Asia, EU, and US. | |
Google Data Catalog gcloud-data-catalog-entry-group Additional permissions required:
The Viewer role includes the permissions. Multi-region resources are not supported for Asia, EU, and US. | |
Google Security Command Center gcloud-security-command-center-organization-source Additional permissions required:
The Viewer role includes the permissions. | |
OCI Compute oci-compute-vnics Additional permissions required:
You must add the permissions manually. | |
OCI Compute oci-compute-vnicattachments Additional permission required: You must add the permission manually. | |
OCI Networking oci-networking-dns-tsigkeys Additional permissions required:
You must add the permissions manually. | |
Update API Ingestion—Amazon VPC Attribute | The following API is updated with a new attribute authorizationRules which contains the authorization rules for Client VPN endpoint.aws-ec2-client-vpn-endpoint Additional permissions required:
The Security Audit role includes the permissions. Impact— No impact on alerts. |
New Policies and Policy Updates
See the look ahead updates for planned features and policy updates for 22.6.3.
Policy Updates | Description |
New Policy | AWS Lambda Function resource-based policy is overly permissive Identifies Lambda Functions that have overly permissive resource-based policy. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access.
|
Azure MySQL database flexible server SSL enforcement is disabled Identifies Azure MySQL database flexible servers for which the SSL enforcement is disabled. SSL connectivity helps to provide a new layer of security by connecting database server to client applications using the Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.
| |
Azure MySQL database flexible server using insecure TLS version Identifies Azure MySQL database flexible servers which are using insecure TLS version. As a security best practice, use the newer TLS version as the minimum TLS version for Azure MySQL database flexible server. Currently, Azure MySQL database flexible server supports TLS 1.2 version which resolves the security gap from its preceding versions.
| |
Policy Updates-Metadata | AWS Lambda function communicating with ports known to mine Monero Changes— The policy description is updated for typos and the cloud is changed from ANY to AWS.Updated Description— This policy identifies AWS Lambda function which is communicating with ports known to mine Monero.AWS Lambda functions when infected with Denonia malware installs a XMRig mining software which is used for mining Monero. It is highly recommended to restrict Lambda function to known hosts or services only.Impact— No impact on alerts. |
Policy Updates—RQL | AWS Certificate Manager (ACM) has certificates with Certificate Transparency Logging disabled Changes— The policy RQL has been updated to check for valid ACM certificate and added remediation support.Additional permission required to remediate the alert:
Current RQL—
Updated RQL—
Remediation CLI—
Impact— Low. Alerts will get resolved for expired or ACM certificates which does not have status as ISSUED . |
AWS Customer Master Key (CMK) rotation is not enabled Changes— The policy RQL has been updated to check only for KMS symmetric keys.Current RQL—
Updated RQL—
Impact— Medium. The alerts will be resolved as ‘Policy_Updated’ for KMS resource that is configured with asymmetric keys. | |
AWS Network Load Balancer (NLB) is not using the latest predefined security policy Changes— The policy RQL has been updated to include the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy and exclude the legacy security policy “ELBSecurityPolicy-2016-08”.Updated Description— This policy identifies Network Load Balancers (NLBs) which are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. So it is recommended to use the latest predefined security policy which uses only secured protocol and ciphers.Current RQL—
Updated RQL—
Impact— Low. The alerts will be resolved as ‘Policy_Updated’ for AWS Network Load Balancer that are configured with the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy. | |
AWS RDS Instance with copy tags to snapshots disabled Changes— The policy RQL has been updated to ignore RDS Instance with Neptune Engine.Current RQL—
Updated RQL—
Impact— Low. The alerts will be resolved as ‘Policy_Updated’ for Neptune DB resources. | |
Azure Application Gateway allows TLSv1.1 or lower Changes— The policy name, description, RQL, and recommendation are updated as vendor support for TLS versions has been updated.Current RQL—
Updated RQL—
Impact— Previously generated alerts for resources which are configured with TLS new predefined policy (TLSv1.3) will be resolved as ‘Policy_Updated’. | |
GCP Firewall rule allows all traffic on Microsoft-DS port (445) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.Additional permissions required:
Current RQL—
Updated RQL—
Updated CLI—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on MongoDB port (27017) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.Additional permissions required:
Current RQL—
Updated RQL—
Updated CLI—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on Oracle DB port (1521) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.Additional permissions required:
Current RQL—
Updated RQL—
Updated CLI—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on MySQL DB port (3306) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.Additional permissions required:
Current RQL—
Updated RQL—
Updated CLI—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on SMTP port (25) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.Additional permissions required:
Current RQL—
Updated RQL—
Updated CLI—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on PostgreSQL port (5432) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.Additional permissions required:
Current RQL—
Updated RQL—
Updated CLI—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on NetBIOS-SSN port (139) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.Additional permissions required:
Current RQL—
Updated RQL—
Updated CLI—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on DNS port (53) Changes— The RQL for the policy is modified to include IPv6 checks.Current RQL—
Updated RQL—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on FTP port (21) Changes— The RQL for the policy is modified to include IPv6 checks.Current RQL—
Updated RQL—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on SSH port (22) Changes— The RQL for the policy is modified to include IPv6 checks.Current RQL—
Updated RQL—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on RDP port (3389) Changes— The RQL for the policy is modified to include IPv6 checks.Current RQL—
Updated RQL—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows all traffic on POP3 port (110) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.Additional permissions required:
Current RQL—
Updated RQL—
Updated CLI—
Impact— Low impact on existing alerts. | |
GCP Firewall with Inbound rule overly permissive to All Traffic Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.Additional permissions required:
Current RQL—
Updated RQL—
Updated CLI—
Impact— Low impact on existing alerts. | |
GCP Firewall rule allows inbound traffic from anywhere with no specific target set Changes— The RQL for the policy is modified to include IPv6 checks. Also, the policy recommendation steps are modified to reflect the latest CSP changes.Current RQL—
Updated RQL—
Impact— Low impact on existing alerts. | |
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in June 2022 for details on new Configuration Build policies, updates to add build rules for existing Configuration Run policies, and policy deletions. |
REST API Updates
No REST API updates for 22.6.2.
New Features Introduced in 22.6.1
New Features
FEATURE | DESCRIPTION |
API Ingestions | AWS IAM aws-iam-oidc-provider Additional permissions required:
|
AWS Lambda aws-lambda-code-signing-config Additional permission required:
| |
AWS Lambda aws-lambda-list-functions Additional permission required:
| |
AWS Route53 Resolver aws-route53resolver-query-logging-config-association Additional permission required:
| |
AWS Route53 Resolver aws-route53resolver-query-logging-config Additional permissions required:
| |
Azure HPC Cache azure-hpc-cache Additional permissions required:
| |
Azure Media Service azure-media-service-account Additional permission required:
| |
Azure Service Fabric azure-service-fabric-cluster Additional permission required:
| |
Azure Virtual Network azure-network-effective-nsg Additional permission required: The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud. | |
Azure Virtual Network azure-network-effective-route-table Additional permission required: The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud. | |
Google Certificate Authority Service gcloud-certificate-authority-revocation-lists Additional permissions required:
| |
Google Compute Engine gcloud-compute-backend-bucket Additional permission required:
| |
Google Compute Engine gcloud-compute-external-backend-service Additional permission required:
| |
OCI Big Data Service oci-bigdataservice-instances Additional permissions required:
| |
OCI Data Integration oci-dataintegration-workspaces Additional permissions required:
| |
OCI Data Science oci-datascience-projects Additional permissions required:
| |
Update Support for Azure Virtual Network API Ingestions | To support ingestion for these Azure Virtual Network APIs:
The Azure onboarding Terraform templates now include granular permissions for:
The Network Contributor role in Azure includes these two permissions, and do not need to be explicitly granted if you have provided this role to Prisma Cloud. |
Permissions in the Azure Terraform Template | The Azure Terraform template in Monitor and Monitor & Protect modes, used for onboarding Azure Subscriptions and Azure Tenant with Management Groups on Prisma Cloud includes the following permission:
This permission is required in the Prisma Cloud custom role to support the Drift Detection capabilities on Code Security. |
Change in Existing Behavior Support for Google Cloud API Ingestions | When you onboard using granular permission, you must provide additional permissions for the following GCP APIs:
These permissions are part of the predefined Viewer role and are automatically included if they are using that primitive role. |
New Policies and Policy Updates
No new policies or policy updates for 22.6.1.
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Support for Australian Energy Sector Cyber Security Framework (AESCSF) | The Australian Energy Sector Cyber Security Framework (AESCSF) provides a set of cybersecurity guidelines specifically tailored to the Australian Energy sector. This framework enables the owners and operators of energy infrastructure in Australia to assess, evaluate, prioritize, and improve their cybersecurity posture. The framework involves the analysis of two aspects:
|
Support for Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) | The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). ISM outlines a cyber security framework that you can apply by using the risk management framework to protect information and systems from cyber threats. The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals, and information technology managers. |
Support for Australian Cyber Security Centre (ACSC) Essential Eight | The Australian Cyber Security Centre’s (ACSC) Essential Eight is a risk management framework that prioritizes eight mitigation strategies taken from the recommended ACSC’s Strategies to Mitigate Cyber Security Incidents: The essential eight security controls are:
|
Update New Zealand Information Security Manual (NZISM v3.4) | Prisma Cloud has extended the compliance support for other cloud accounts including Azure, Alibaba, GCP, OCI, along with AWS. |
REST API Updates
No REST API updates for 22.6.1.