Features Introduced in March 2022

Learn what's new on Prisma™ Cloud in March 2022.

New Features Introduced in 22.3.2

New Features

FEATURE
DESCRIPTION
Azure Custom Roles
Prisma Cloud now gives you the ability to create custom roles which enable you to onboard your cloud accounts with a granular set of permissions and enforce the principle of least privilege.
When you view the status of
Cloud Accounts
, you can now review the details on missing permissions.
Access Control Settings
Prisma Cloud now includes a new navigation menu in
Settings
called
Access Control
. The
Roles
,
Users
,
Access Keys
, and
SSO
pages have all been consolidated under this location, and are accessible as tabs in the header.
In addition, an
Add
button is now included which handles unified actions across these tabs, enabling you to perform various operations such as creating a role or access key from a single location.
Automatically Receive Detailed Reports With Email Alerts
When you configure your alert rules to instantly send emails, a detailed report is automatically included as an attachment.
API Ingestions
AWS Storage Gateway
aws-storage-gateway-cached-volume
Additional permissions required:
  • storagegateway:ListVolumes
  • storagegateway:DescribeCachediSCSIVolumes
AWS Storage Gateway
aws-storage-gateway-tape
Additional permissions required:
  • storagegateway:ListTapes
  • storagegateway:DescribeTapes
AWS XRAY
aws-xray-encryption-config
Additional permission required:
xray:GetEncryptionConfig
Azure Virtual Network
azure-network-natgateway
Additional permission required:
Microsoft.Network/natGateways/read
Azure Data Catalog
azure-datacatalog-catalog
Additional permission required:
Microsoft.DataCatalog/catalogs/read
Google Cloud Bigtable
gcloud-bigtable-instance-cluster-backup-list
Additional permissions required:
  • bigtable.backups.list
  • bigtable.backups.getIamPolicy
Google Cloud Spanner backups
gcloud-cloud-spanner-instance-backup
Additional permission required: None
Google Secrets Manager
gcloud-secretsmanager-secrets-version
Additional permission required:
secretmanager.versions.list
Google VPC
gcloud-compute-org-firewall-policy
Additional permission required:
compute.firewallPolicies.list
Google Certificate Authority Service
gcloud-certificate-authority-ca
Additional permissions required:
  • privateca.caPools.list
  • privateca.certificateAuthorities.list
OCI API Management
oci-apimanagement-apigateway
Additional permissions required:
  • inspect api-gateways
  • read api-gateways

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS IAM Access analyzer is not configured
Identifies AWS regions that do not have IAM Access Analyzer configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as IAM roles, that are shared with an external entity so that you can identify unintended access to your resources and data. As a best practice, configure Access Analyzer in all regions of your account.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-access-analyzer' AND json.rule = status equals ACTIVE as X; config from cloud.resource where api.name = 'aws-region' AND json.rule = optInStatus does not equal not-opted-in as Y; filter '$.X.arn contains $.Y.regionName'; show X; count(X) less than 1
Azure Spring Cloud app end-to-end TLS is disabled
Identifies Azure Spring Cloud apps that have end-to-end TLS disabled. Enabling end-to-end TLS and or SSL will secure traffic from ingress controller to apps. After you enable end-to-end TLS and load a certificate from the key vault, all communications within Azure Spring Cloud are secured with TLS. As a best practice, use end-to-end TLS to secure the traffic from Spring Cloud apps.
config from cloud.resource where api.name = 'azure-spring-cloud-service' AND json.rule = properties.powerState equals Running and sku.tier does not equal Basic as X; config from cloud.resource where api.name = 'azure-spring-cloud-app' AND json.rule = properties.provisioningState equals Succeeded and properties.enableEndToEndTLS is false as Y; filter '$.X.name equals $.Y.serviceName'; show Y;
Azure Spring Cloud app system-assigned managed identity is disabled
Identifies Azure Spring Cloud apps that have system assigned managed identity disabled. System assigned managed identity can be used to authenticate any service that supports Azure AD authentication, without having credentials in your code. Storing credentials in code increases the threat surface in case of exploitation which managed identities eliminate the need for. As a best practice, assign system managed identity to your Spring Cloud apps.
config from cloud.resource where api.name = 'azure-spring-cloud-service' AND json.rule = properties.powerState equals Running as X; config from cloud.resource where api.name = 'azure-spring-cloud-app' AND json.rule = properties.provisioningState equals Succeeded and identity does not exist as Y; filter '$.X.name equals $.Y.serviceName'; show Y;
GCP API key not restricted to use by specified Hosts and Apps
Identifies GCP API keys that are not restricted by any specific hosts or apps. Unrestricted keys are insecure because they can be viewed publicly, such as within a browser, or they can be accessed on a device where the key resides. As a best practice, restrict API key usage to trusted hosts, HTTP referrers, and apps.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-api-key' AND json.rule = (restrictions.browserKeyRestrictions does not exist and restrictions.serverKeyRestrictions does not exist and restrictions.androidKeyRestrictions does not exist and restrictions.iosKeyRestrictions does not exist) or (restrictions.browserKeyRestrictions exists and (restrictions.browserKeyRestrictions[?any(allowedReferrers[*] equals "*")] exists or restrictions.browserKeyRestrictions[?any(allowedReferrers[*] equals "*.[TLD]")] exists or restrictions.browserKeyRestrictions[?any(allowedReferrers[*] equals "*.[TLD]/*")] exists)) or (restrictions.serverKeyRestrictions exists and (restrictions.serverKeyRestrictions[?any(allowedIps[*] equals 0.0.0.0)] exists or restrictions.serverKeyRestrictions[?any(allowedIps[*] equals 0.0.0.0/0)] exists or restrictions.serverKeyRestrictions[?any(allowedIps[*] equals ::/0)] exists or restrictions.serverKeyRestrictions[?any(allowedIps[*] equals ::0)] exists))
Policy Updates—Metadata
Azure Network Watcher Network Security Group (NSG) flow logs are disabled
Changes
—The policy recommendation has been updated to include end-to-end configuration information. The policy RQL has also been updated to remove
$
to be consistent across all RQLs.
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nsg-list' AND json.rule = flowLogsSettings does not exist or flowLogsSettings.enabled is false
Impact
—No impact on existing alerts.
Azure App Service Web app doesn't have a Managed Service Identity
Changes
—The policy RQL has been updated to exclude user assigned identities App Service from reporting because, App Service can be assigned with user assigned identities. The policy description and recommendation have also been updated to reflect the changes.
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = kind starts with app and (identity.type does not exist or (identity.type exists and identity.type does not contain SystemAssigned and identity.type does not contain UserAssigned))
Impact
—Previously generated alerts for App Services using user assigned identities will be resolved as Policy_Updated.
AWS RDS instance with copy tags to snapshots disabled
Changes
—The policy was reporting false positive alerts for AWS DocumentDB instances as the copyTagsToSnapshot feature was not supported for DocDB. The policy RQL has been updated to ignore docdb engine instances.
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = 'dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb
Impact
—Alerts for resources that have a docdb engine instance will be resolved to Policy_Updated.

Changes in Existing Behavior

FEATURE
CHANGE
CSPM Alert API Rate Limits
Prisma Cloud continues to enable rate limiting on the API endpoints, in order to ensure availability and scalability of Prisma Cloud APIs. The following API rate limits are implemented for the Alerts API endpoints starting in 22.3.2:
  • GET /v2/alert
    • Request rate limit: 2/sec
    • Burst limit: 10/sec
  • POST /v2/alert
    • Request rate limit: 2/sec
    • Burst limit: 10/sec
  • GET /alert/count/{status}
    • Request rate limit: 2/sec
    • Burst limit: 10/sec
  • GET /alert
    • Request rate limit: 2/sec
    • Burst limit: 10/sec
  • POST /alert
    • Request rate limit: 2/sec
    • Burst limit: 10/sec
  • GET /alert/policy
    • Request rate limit: 1/sec
    • Burst limit: 5/sec
  • POST /alert/policy
    • Request rate limit: 1/sec
    • Burst limit: 5/sec
  • GET /alert/{id}
    • Request rate limit: 5/sec
    • Burst limit: 10/sec
  • POST /alert/jobs
    • Request rate limit: 2/sec
    • Burst limit: 10/sec
  • POST /alert/policy/jobs
    • Request rate limit: 1/sec
    • Burst limit: 5/sec
Update
permission in the aws-s3api-get-bucket-acl API
The
aws-s3api-get-bucket-acl
API has been updated to include the following permission:
s3:GetBucketOwnershipControls
This enables you to get the default ownership settings for objects in your S3 buckets.

REST API Updates

CHANGE
DESCRIPTION
CSPM Alert API Rate Limits
See Changes in Existing Behavior for a description of new CSPM Alert API rate limits.
Removal of Deprecated IaC Scan API V2
The deprecated IaC Scan API V2 has been removed. A new Code Security API is available for Infrastructure-as-Code security checks.

New Features Introduced in 22.3.1

New Features

FEATURE
DESCRIPTION
License Support in Alarm Center
Prisma Cloud includes a new
License
Alarm Type, which raises an alarm based on the following cases:
  • License Usage
    —An alarm is raised on the last day of the month if your monthly usage is >80% (configurable limit) of the credits purchased.
  • License Expiry
    —An alarm is raised 1 month before your license expires (for non-POC tenants).
  • Module Activation Failure
    —An alarm is raised for any module provisioning failures.
Update
Prisma Cloud Data Security—New File Extensions Supported for Malware Scanning
Prisma Cloud can now scan the following types of file extensions on your storage buckets for malware:
  • .pdf
  • .doc
  • .docx
  • .xls
  • .xlsx
  • .ppt
  • .pptx
  • .docm
  • .dotm
  • .xlm
  • .xlsm
  • .xltm
  • .pptm
  • .potm
  • .ppsm
Support for New Regions on OCI
Prisma Cloud now ingests data for resources deployed in the Jerusalem, Marseille, and Singapore cloud regions on OCI.
To review a list of supported regions, select
Inventory
Assets
, and choose
Cloud Region
from the filter drop-down.
Support for the Abu Dhabi, Milan, Stockholm, and Johannesburg regions is released as a beta.
API Ingestions
Amazon Neptune
aws-neptune-db-cluster-parameter-group
Additional permissions required:
rds:DescribeDBClusterParameters
rds:DescribeDBClusterParameterGroups
rds:ListTagsForResource
Amazon QuickSight
aws-quicksight-account-setting
Additional permissions required:
quicksight:DescribeAccountSettings
Amazon VPC
aws-ec2-client-vpn-endpoint
Additional permission required:
ec2:DescribeClientVpnEndpoints
Google Certificate Authority Service
gcloud-certificate-authority-pool
Additional permissions required:
privateca.caPools.getIamPolicy
privateca.caPools.list
Google Compute Engine
gcloud-compute-instances-list
Additional permission required:
compute.instances.getIamPolicy
Google Compute Engine
gcp-compute-disk-list
Additional permission required:
compute.disks.getIamPolicy
Google Cloud IAM
gcloud-iam-workload-identity-provider
Additional permission required:
iam.workloadIdentityPoolProviders.list
Google Cloud IAM
gcloud-iam-workload-identity-pool
Additional permission required:
iam.workloadIdentityPools.list
The IAM Workload Identity Prisma Cloud APIs provide only the workload identity pools and providers created under Workload Identity Federation as part of the IAM service.
Refer to
api - gcloud-container-describe-clusters
for Workload Identity Configuration details of GKE Clusters.
OCI Web Application Firewall
oci-waf-webappfirewallpolicy
Additional permissions required:
Allow group ${oci_identity_group.group.name} to inspect waf-policy in tenancy
Allow group ${oci_identity_group.group.name} to read waf-policy in tenancy
Update
Azure Service Bus
azure-service-bus-namespace
This API has been updated to show the following new fields in the resource JSON:
publicNetworkAccess
disableLocalAuth

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
Azure MariaDB database server with SSL connection disabled
Identifies MariaDB database servers for which SSL enforce status is disabled. It is recommended to enforce SSL for accessing your database server.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-database-maria-db-server' AND json.rule = properties.userVisibleState equals Ready and properties.sslEnforcement equals Disabled
Azure MariaDB database server not using latest TLS version
Identifies Azure MariaDB database servers that are not using the latest TLS version for SSL enforcement. As a best practice, use the newer TLS version as the minimum TLS version for the MariaDB database server. Currently, Azure MariaDB supports TLS 1.2 version which resolves the security gap from its preceding versions.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-database-maria-db-server' AND json.rule = properties.userVisibleState equals Ready and properties.sslEnforcement equals Enabled and properties.minimalTlsVersion does not equal TLS1_2
Azure Key vault Private Endpoint Connection is not configured
Identifies Key vaults that are not configured with a private endpoint connection. It is recommended to configure Private Endpoint Connection to Key vaults.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-key-vault-list' AND json.rule = properties.provisioningState equals Succeeded and properties.privateEndpointConnections[*] does not exist
Policy Updates—Metadata
The policy name and description have been updated to describe the policy better.
Current name
AWS RDS event subscription disabled for DB instance
Updated to
AWS RDS Event subscription All event categories and All instances disabled for DB instance
Updated description
—Identifies AWS RDS event subscriptions for DB instance which has 'All event categories' and 'All instances' as disabled. As a best practice, enable 'All event categories' for 'All instances' to get notified when an event occurs for a DB instance.
Impact
—No impact on existing alerts.
Policy Updates—RQL
AWS SNS topic with cross-account access
Changes
—The RQL has been updated to ignore resources when SNS topic owner is itself.
Current RQL
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS does not equal * and Principal does not equal * and Principal.AWS contains arn))] exists
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS does not equal * and Principal does not equal * and Principal.AWS contains arn and Principal.AWS does not contain $.Owner))] exists
Impact
—Previously generated alerts for resources where SNS topic owner was itself will be resolved as Policy_Updated.
AWS IAM policy allows full administrative privileges
Changes
—The RQL has been updated to check only if policy is attached to any user, roles, or groups.
Current RQL
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = 'document.Statement[?any(Action equals * and Resource equals * and Effect equals Allow)] exists and (policyArn exists and policyArn does not contain iam::aws:policy/AdministratorAccess)'
Updated to
cconfig from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Action anyStartWith * and Resource equals * and Effect equals Allow)] exists and (policyArn exists and policyArn does not contain iam::aws:policy/AdministratorAccess)
Impact
—Previously generated alerts for resources that are not attached to any user, roles, or groups will be resolved as Policy_Updated.
GCP Cloud Function HTTP trigger is not secured
Changes
—The RQL has been modified to generate alerts only for HTTP triggers that are not secure.
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-function' AND json.rule = status equals ACTIVE and httpsTrigger.securityLevel does not equal SECURE_ALWAYS
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-function' AND json.rule = status equals ACTIVE and httpsTrigger exists and httpsTrigger.securityLevel does not equal SECURE_ALWAYS
Impact
—Previously generated alerts associated with non-HTTP triggers will be resolved as Policy_Updated.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Update
AWS CIS v1.3.0 and v1.4.0
The
AWS S3 CloudTrail buckets for which access logging is disabled
policy has been mapped to AWSCIS v1.3.0 and v1.4.0, section 3.6.
Impact
—The compliance report score will be impacted because a new mapping has been added.

REST API Updates

CHANGE
DESCRIPTION
CSPM Policy API Endpoints
This change was first announced in the look ahead that was published with the 22.2.2 release.
If you specify an RQL statement rather than a search ID for the
rule.criteria
request body parameter, the value of the
rule.criteria
attribute in the resulting response object will be a UUID and not the RQL itself. This change affects the following API requests:
  • POST /policy
  • PUT /policy/{id}
You can use the UUID with the following requests to determine the corresponding RQL statement:
  • GET /search/history
    where the response object includes both the UUID and RQL
  • GET /search/history/{UUID}

Recommended For You