Features Introduced in June 2022
Learn what's new on Prisma™ Cloud in June 2022.
New Features Introduced in 22.6.2
New Features
Feature | Description |
---|---|
Change in Existing Behavior Alert
Count on Policy Violations This change was first
announced in the look ahead that was published with the 22.5.2 release. | Earlier on Prisma Cloud, when an asset generated
an alert for a policy violation, the alert was counted towards the
most severe violation. For example, for an asset that had violations
for low, medium, and high severity policies, the alert was only
counted in the high category although it was also violating medium and
low severity policies. In this method of counting alerts, when you
view the total count of failed checks it adds up to the sum of all
low, medium, and high severity failures. The above method
of counting alerts is modified to display the total count of policy violations
for each severity. So, using the same example, if an asset has violations
for low, medium, and high severity policies, the alert will now
be counted in each of the three categories. Therefore, when you
view the total count of failed checks and compare it to the sum
total of each category, the sum will be higher. This count is displayed
on several places on the Prisma Cloud management console such as
on the Compliance Overview Asset
Inventory (Inventory > Assets), and Alerts Overview This
change in how Prisma Cloud count assets that failed policy checks
will not be updated for any compliance reports generated before
your Prisma Cloud instance is upgraded to the current release. This
means that the count displayed in the table on Compliance Reports Compliance Overview |
Skips API Ingestion when Cloud Billing
on GCP is Disabled | When the Cloud Asset Inventory (CAI) service
is enabled and if Cloud Billing is disabled for a project by default,
Prisma Cloud skips the ingestion of GCP APIs. This is true when
the project is onboarded as a standalone or a child project of an
organization, but not for a master service account (MSA). Impact —If
you do not enable CAI, Prisma Cloud will ingest all the GCP APIs
even if Cloud Billing is disabled for a project. |
Change in Existing Behavior Resolution
of Undeletes for Google Cloud Resources This change
was announced in the look ahead that was published with the 22.6.1 release. | All the resources for gcloud-compute-networks-subnets-list and gcloud-compute-networks-list will
be deleted once and then regenerated on the management console.Existing
alerts corresponding to these resources will be resolved as Resource_Updated , and
new alerts will be generated against policy violations.Impact —You
may notice a reduced count for the number of alerts. However, the
alert count will return to the original numbers once the resources
for gcloud-compute-networks-subnets-list and gcloud-compute-networks-list start
ingesting data again. |
Prisma Cloud Data Security Download and
Scan Files up to 100MB for Malware | The file size for malware scanning is now
increased from 20MB to 100MB. The uncompressed file size must be less
than 100MB. |
Prisma Cloud Data Security Support for
Big Data File Types | Prisma Cloud supports the following
file types for data profile and data patterns:
The size of the .avro, .ORC, or
.parquet files must be less than 2.5GB. |
API Ingestions | Amazon Managed Workflows for
Apache Airflow aws-mwaa-environment Additional
permissions required:
|
AWS Systems Manager aws-ssm-association Additional
permissions required:
The Security
Audit role includes the permissions. | |
Azure Batch Account azure-batch-account Additional
permission required:
The
Reader role includes the permission. | |
Azure Data Shares azure-data-shares-account Additional
permission required:
The
Reader role includes the permission. | |
Azure Red Hat OpenShift azure-redhat-openshift-cluster Additional
permission required:
The
Reader role includes the permission. | |
Google Cloud Run Revision gcloud-cloud-run-revisions-list No
new permissions, the Project Viewer role includes the required permissions. | |
Google Data Catalog gcloud-data-catalog-taxonomy Additional
permissions required:
The
Viewer role includes the permissions. Multi-region resources are
not supported for Asia, EU, and US. | |
Google Data Catalog gcloud-data-catalog-entry-group Additional
permissions required:
The
Viewer role includes the permissions. Multi-region resources are
not supported for Asia, EU, and US. | |
Google Security Command Center gcloud-security-command-center-organization-source Additional
permissions required:
The
Viewer role includes the permissions. | |
OCI Compute oci-compute-vnics Additional
permissions required:
You must add the
permissions manually. | |
OCI Compute oci-compute-vnicattachments Additional
permission required:
You
must add the permission manually. | |
OCI Networking oci-networking-dns-tsigkeys Additional
permissions required:
You must add
the permissions manually. | |
Update API Ingestion—Amazon
VPC Attribute | The following API is updated with a new attribute authorizationRules which
contains the authorization rules for Client VPN endpoint.aws-ec2-client-vpn-endpoint Additional
permissions required:
The
Security Audit role includes the permissions. Impact —
No impact on alerts. |
New Policies and Policy Updates
See the look ahead updates for
planned features and policy updates for 22.6.3.
Policy Updates | Description |
---|---|
New Policy | AWS Lambda Function resource-based
policy is overly permissive Identifies Lambda
Functions that have overly permissive resource-based policy. Lambda
functions having overly permissive policy could lead to lateral
movement in account or privilege being escalated when compromised.
It is highly recommended to have the least privileged access policy
to protect the Lambda Functions from unauthorized access.
|
Azure MySQL database flexible
server SSL enforcement is disabled Identifies
Azure MySQL database flexible servers for which the SSL enforcement
is disabled. SSL connectivity helps to provide a new layer of security
by connecting database server to client applications using the Secure Sockets
Layer (SSL). Enforcing SSL connections between the database server
and client applications helps protect against 'man in the middle'
attacks by encrypting the data stream between the server and application.
| |
Azure MySQL database flexible
server using insecure TLS version Identifies Azure
MySQL database flexible servers which are using insecure TLS version. As
a security best practice, use the newer TLS version as the minimum
TLS version for Azure MySQL database flexible server. Currently, Azure
MySQL database flexible server supports TLS 1.2 version which resolves
the security gap from its preceding versions.
| |
Policy Updates-Metadata | AWS Lambda function communicating
with ports known to mine Monero Changes —The
policy description is updated for typos and the cloud is changed
from ANY to AWS.Updated Description —This policy identifies
AWS Lambda function which is communicating with ports known to mine Monero.AWS
Lambda functions when infected with Denonia malware installs a XMRig
mining software which is used for mining Monero. It is highly recommended
to restrict Lambda function to known hosts or services only.Impact —No
impact on alerts. |
Policy Updates—RQL | AWS Certificate Manager (ACM)
has certificates with Certificate Transparency Logging disabled Changes —The
policy RQL has been updated to check for valid ACM certificate and
added remediation support. Additional permission required
to remediate the alert:
Current
RQL —
Updated
RQL —
Remediation
CLI —
Impact —Low.
Alerts will get resolved for expired or ACM certificates which does
not have status as ISSUED . |
AWS Customer Master Key (CMK)
rotation is not enabled Changes —The policy
RQL has been updated to check only for KMS symmetric keys.Current
RQL —
Updated
RQL —
Impact —Medium.
The alerts will be resolved as ‘Policy_Updated’ for KMS resource
that is configured with asymmetric keys. | |
AWS Network Load Balancer (NLB)
is not using the latest predefined security policy Changes —The
policy RQL has been updated to include the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security
policy and exclude the legacy security policy “ELBSecurityPolicy-2016-08”.Updated
Description —This policy identifies Network Load Balancers (NLBs) which
are not using the latest predefined security policy. A security
policy is a combination of protocols and ciphers. The protocol establishes
a secure connection between a client and a server and ensures that all
data passed between the client and your load balancer is private.
A cipher is an encryption algorithm that uses encryption keys to
create a coded message. So it is recommended to use the latest predefined security
policy which uses only secured protocol and ciphers.Current
RQL —
Updated
RQL —
Impact —Low.
The alerts will be resolved as ‘Policy_Updated’ for AWS Network
Load Balancer that are configured with the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security
policy. | |
AWS RDS Instance with copy tags
to snapshots disabled Changes —The policy
RQL has been updated to ignore RDS Instance with Neptune Engine.Current
RQL —
Updated
RQL —
Impact —Low.
The alerts will be resolved as ‘Policy_Updated’ for Neptune DB resources. | |
Azure Application Gateway allows
TLSv1.1 or lower Changes —The policy name, description,
RQL, and recommendation are updated as vendor support for TLS versions
has been updated.Current RQL —
Updated
RQL —
Impact Previously generated
alerts for resources which are configured with TLS new predefined
policy (TLSv1.3) will be resolved as ‘Policy_Updated’. | |
GCP Firewall rule allows all
traffic on Microsoft-DS port (445) Changes —The
RQL for the policy is modified to check if the firewall rule is disabled
and include IPv6 checks. CLI has been modified to disable the vulnerable
firewall rule instead of deleting it.Additional permissions
required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on MongoDB port (27017) Changes —The
RQL for the policy is modified to check if the firewall rule is disabled
and include IPv6 checks. CLI has been modified to disable the vulnerable
firewall rule instead of deleting it.Additional permissions
required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on Oracle DB port (1521) Changes —The
RQL for the policy is modified to check if the firewall rule is disabled
and include IPv6 checks. CLI has been modified to disable the vulnerable
firewall rule instead of deleting it.Additional permissions
required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on MySQL DB port (3306) Changes —The
RQL for the policy is modified to check if the firewall rule is disabled
and include IPv6 checks. CLI has been modified to disable the vulnerable
firewall rule instead of deleting it.Additional permissions
required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on SMTP port (25) Changes —The RQL
for the policy is modified to check if the firewall rule is disabled
and include IPv6 checks. CLI has been modified to disable the vulnerable
firewall rule instead of deleting it.Additional permissions
required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on PostgreSQL port (5432) Changes —The
RQL for the policy is modified to check if the firewall rule is disabled
and include IPv6 checks. Remediation CLI has been modified to disable
the vulnerable firewall rule instead of deleting it.Additional
permissions required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on NetBIOS-SSN port (139) Changes —The
RQL for the policy is modified to check if the firewall rule is disabled
and include IPv6 checks. Remediation CLI has been modified to disable
the vulnerable firewall rule instead of deleting it.Additional
permissions required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on DNS port (53) Changes —The RQL
for the policy is modified to include IPv6 checks.Current
RQL —
Updated
RQL —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on FTP port (21) Changes —The RQL
for the policy is modified to include IPv6 checks.Current
RQL —
Updated
RQL —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on SSH port (22) Changes —The RQL
for the policy is modified to include IPv6 checks.Current
RQL —
Updated
RQL —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on RDP port (3389) Changes —The
RQL for the policy is modified to include IPv6 checks.Current
RQL —
Updated
RQL —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows all
traffic on POP3 port (110) Changes —The
RQL for the policy is modified to check if the firewall rule is disabled
and include IPv6 checks. Remediation CLI has been modified to disable
the vulnerable firewall rule instead of deleting it.Additional
permissions required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on existing alerts. | |
GCP Firewall with Inbound rule
overly permissive to All Traffic Changes —The
RQL for the policy is modified to check if the firewall rule is disabled
and include IPv6 checks. Remediation CLI has been modified to disable
the vulnerable firewall rule instead of deleting it.Additional
permissions required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on existing alerts. | |
GCP Firewall rule allows inbound
traffic from anywhere with no specific target set Changes —The
RQL for the policy is modified to include IPv6 checks. Also, the
policy recommendation steps are modified to reflect the latest CSP
changes.Current RQL —
Updated
RQL —
Impact —Low
impact on existing alerts. | |
If you have enabled the Code
Security subscription on Prisma Cloud, see Code Security-Features
Introduced in June 2022for details on new Configuration Build
policies, updates to add build rules for existing Configuration
Run policies, and policy deletions. |
REST API Updates
No REST API updates for 22.6.2.
New Features Introduced in 22.6.1
New Features
FEATURE | DESCRIPTION |
---|---|
API Ingestions | AWS IAM aws-iam-oidc-provider Additional
permissions required:
|
AWS Lambda aws-lambda-code-signing-config Additional
permission required:
| |
AWS Lambda aws-lambda-list-functions Additional
permission required:
| |
AWS Route53 Resolver aws-route53resolver-query-logging-config-association Additional
permission required:
| |
AWS Route53 Resolver aws-route53resolver-query-logging-config Additional
permissions required:
| |
Azure HPC Cache azure-hpc-cache Additional
permissions required:
| |
Azure Media Service azure-media-service-account Additional
permission required:
| |
Azure Service Fabric azure-service-fabric-cluster Additional
permission required:
| |
Azure Virtual Network azure-network-effective-nsg Additional
permission required:
The
Network Contributor role includes the permission and do not need
to be explicitly granted if you have provided this role to Prisma Cloud. | |
Azure Virtual Network azure-network-effective-route-table Additional
permission required:
The
Network Contributor role includes the permission and do not need
to be explicitly granted if you have provided this role to Prisma Cloud. | |
Google Certificate Authority
Service gcloud-certificate-authority-revocation-lists Additional
permissions required:
| |
Google Compute Engine gcloud-compute-backend-bucket Additional
permission required:
| |
Google Compute Engine gcloud-compute-external-backend-service Additional
permission required:
| |
OCI Big Data Service oci-bigdataservice-instances Additional
permissions required:
| |
OCI Data Integration oci-dataintegration-workspaces Additional
permissions required:
| |
OCI Data Science oci-datascience-projects Additional
permissions required:
| |
Update Support for Azure Virtual
Network API Ingestions | To support ingestion for these Azure Virtual
Network APIs:
The
Azure onboarding Terraform templates now include granular permissions for:
The
Network Contributor role in Azure includes these two permissions,
and do not need to be explicitly granted if you have provided this
role to Prisma Cloud. |
Permissions in the Azure Terraform Template | The Azure Terraform template in Monitor and Monitor
& Protect modes, used for onboarding Azure Subscriptions
and Azure Tenant with Management Groups on Prisma Cloud includes the
following permission:
This
permission is required in the Prisma Cloud custom role to support
the Drift Detection capabilities on Code Security. |
Change in Existing Behavior Support
for Google Cloud API Ingestions | When you onboard using granular permission,
you must provide additional permissions for the following GCP APIs:
These
permissions are part of the predefined Viewer role and are automatically
included if they are using that primitive role. |
New Policies and Policy Updates
No new policies or policy updates for 22.6.1.
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
---|---|
Support for Australian Energy Sector
Cyber Security Framework (AESCSF) | The Australian Energy Sector Cyber Security
Framework (AESCSF) provides a set of cybersecurity guidelines specifically
tailored to the Australian Energy sector. This framework enables
the owners and operators of energy infrastructure in Australia to
assess, evaluate, prioritize, and improve their cybersecurity posture. The
framework involves the analysis of two aspects:
|
Support for Australian Cyber Security
Centre (ACSC) Information Security Manual (ISM) | The Australian Cyber Security Centre (ACSC)
produces the Information Security Manual (ISM). ISM outlines a cyber
security framework that you can apply by using the risk management
framework to protect information and systems from cyber threats. The
ISM is intended for Chief Information Security Officers, Chief Information
Officers, cyber security professionals, and information technology
managers. |
Support for Australian Cyber Security
Centre (ACSC) Essential Eight | The Australian Cyber Security Centre’s (ACSC)
Essential Eight is a risk management framework that prioritizes
eight mitigation strategies taken from the recommended ACSC’s Strategies
to Mitigate Cyber Security Incidents: The essential eight
security controls are:
|
Update New Zealand Information
Security Manual (NZISM v3.4) | Prisma Cloud has extended the compliance
support for other cloud accounts including Azure, Alibaba, GCP,
OCI, along with AWS. |
REST API Updates
No REST API updates for 22.6.1.
Recommended For You
Recommended Videos
Recommended videos not found.