Features Introduced in March 2022
Table of Contents
Features Introduced in March 2022
Learn what’s new on Prisma™ Cloud in March 2022.
New Features Introduced in 22.3.2
New Features
FEATURE | DESCRIPTION |
Azure Custom Roles | Prisma Cloud now gives you the ability to create custom roles which enable you to onboard your cloud accounts with a granular set of permissions and enforce the principle of least privilege. When you view the status of Cloud Accounts , you can now review the details on missing permissions. |
Access Control Settings | Prisma Cloud now includes a new navigation menu in Settings called Access Control . The Roles , Users , Access Keys , and SSO pages have all been consolidated under this location, and are accessible as tabs in the header.In addition, an Add button is now included which handles unified actions across these tabs, enabling you to perform various operations such as creating a role or access key from a single location. |
Automatically Receive Detailed Reports With Email Alerts | When you configure your alert rules to instantly send emails, a detailed report is automatically included as an attachment. |
API Ingestions | AWS Storage Gateway aws-storage-gateway-cached-volume Additional permissions required:
|
AWS Storage Gateway aws-storage-gateway-tape Additional permissions required:
| |
AWS XRAY aws-xray-encryption-config Additional permission required:
| |
Azure Virtual Network azure-network-natgateway Additional permission required:
| |
Azure Data Catalog azure-datacatalog-catalog Additional permission required:
| |
Google Cloud Bigtable gcloud-bigtable-instance-cluster-backup-list Additional permissions required:
| |
Google Cloud Spanner backups gcloud-cloud-spanner-instance-backup Additional permission required: None | |
Google Secrets Manager gcloud-secretsmanager-secrets-version Additional permission required:
| |
Google VPC gcloud-compute-org-firewall-policy Additional permission required:
| |
Google Certificate Authority Service gcloud-certificate-authority-ca Additional permissions required:
| |
OCI API Management oci-apimanagement-apigateway Additional permissions required:
|
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
New Policies | AWS IAM Access analyzer is not configured Identifies AWS regions that do not have IAM Access Analyzer configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as IAM roles, that are shared with an external entity so that you can identify unintended access to your resources and data. As a best practice, configure Access Analyzer in all regions of your account.
|
Azure Spring Cloud app end-to-end TLS is disabled Identifies Azure Spring Cloud apps that have end-to-end TLS disabled. Enabling end-to-end TLS and or SSL will secure traffic from ingress controller to apps. After you enable end-to-end TLS and load a certificate from the key vault, all communications within Azure Spring Cloud are secured with TLS. As a best practice, use end-to-end TLS to secure the traffic from Spring Cloud apps.
| |
Azure Spring Cloud app system-assigned managed identity is disabled Identifies Azure Spring Cloud apps that have system assigned managed identity disabled. System assigned managed identity can be used to authenticate any service that supports Azure AD authentication, without having credentials in your code. Storing credentials in code increases the threat surface in case of exploitation which managed identities eliminate the need for. As a best practice, assign system managed identity to your Spring Cloud apps.
| |
GCP API key not restricted to use by specified Hosts and Apps Identifies GCP API keys that are not restricted by any specific hosts or apps. Unrestricted keys are insecure because they can be viewed publicly, such as within a browser, or they can be accessed on a device where the key resides. As a best practice, restrict API key usage to trusted hosts, HTTP referrers, and apps.
| |
Policy Updates—Metadata | Azure Network Watcher Network Security Group (NSG) flow logs are disabled Changes— The policy recommendation has been updated to include end-to-end configuration information. The policy RQL has also been updated to remove $ to be consistent across all RQLs.Updated RQL—
Impact— No impact on existing alerts. |
Azure App Service Web app doesn’t have a Managed Service Identity Changes— The policy RQL has been updated to exclude user assigned identities App Service from reporting because, App Service can be assigned with user assigned identities. The policy description and recommendation have also been updated to reflect the changes.Updated RQL—
Impact— Previously generated alerts for App Services using user assigned identities will be resolved as Policy_Updated. | |
AWS RDS instance with copy tags to snapshots disabled Changes— The policy was reporting false positive alerts for AWS DocumentDB instances as the copyTagsToSnapshot feature was not supported for DocDB. The policy RQL has been updated to ignore docdb engine instances.Current—
Updated to—
Impact— Alerts for resources that have a docdb engine instance will be resolved to Policy_Updated. |
Changes in Existing Behavior
FEATURE | CHANGE |
CSPM Alert API Rate Limits | Prisma Cloud continues to enable rate limiting on the API endpoints, in order to ensure availability and scalability of Prisma Cloud APIs. The following API rate limits are implemented for the Alerts API endpoints starting in 22.3.2:
|
Update permission in the aws-s3api-get-bucket-acl API | The aws-s3api-get-bucket-acl API has been updated to include the following permission:
This enables you to get the default ownership settings for objects in your S3 buckets. |
REST API Updates
CHANGE | DESCRIPTION |
CSPM Alert API Rate Limits | See Changes in Existing Behavior for a description of new CSPM Alert API rate limits. |
Removal of Deprecated IaC Scan API V2 | The deprecated IaC Scan API V2 has been removed. A new Code Security API is available for Infrastructure-as-Code security checks. |
New Features Introduced in 22.3.1
New Features
FEATURE | DESCRIPTION |
License Support in Alarm Center | Prisma Cloud includes a new License Alarm Type, which raises an alarm based on the following cases:
  |
Update Prisma Cloud Data Security—New File Extensions Supported for Malware Scanning | Prisma Cloud can now scan the following types of file extensions on your storage buckets for malware:
|
Support for New Regions on OCI | Prisma Cloud now ingests data for resources deployed in the Jerusalem, Marseille, and Singapore cloud regions on OCI. To review a list of supported regions, select , and choose Cloud Region from the filter drop-down. Support for the Abu Dhabi, Milan, Stockholm, and Johannesburg regions is released as a beta. |
API Ingestions | Amazon Neptune aws-neptune-db-cluster-parameter-group Additional permissions required:
|
Amazon QuickSight aws-quicksight-account-setting Additional permissions required:
| |
Amazon VPC aws-ec2-client-vpn-endpoint Additional permission required:
| |
Google Certificate Authority Service gcloud-certificate-authority-pool Additional permissions required:
| |
Google Compute Engine gcloud-compute-instances-list Additional permission required:
| |
Google Compute Engine gcp-compute-disk-list Additional permission required:
| |
Google Cloud IAM gcloud-iam-workload-identity-provider Additional permission required:
| |
Google Cloud IAM gcloud-iam-workload-identity-pool Additional permission required:
The IAM Workload Identity Prisma Cloud APIs provide only the workload identity pools and providers created under Workload Identity Federation as part of the IAM service. Refer to api - gcloud-container-describe-clusters for Workload Identity Configuration details of GKE Clusters. | |
OCI Web Application Firewall oci-waf-webappfirewallpolicy Additional permissions required:
| |
Update Azure Service Bus azure-service-bus-namespace This API has been updated to show the following new fields in the resource JSON:
|
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
New Policies | Azure MariaDB database server with SSL connection disabled Identifies MariaDB database servers for which SSL enforce status is disabled. It is recommended to enforce SSL for accessing your database server.
|
Azure MariaDB database server not using latest TLS version Identifies Azure MariaDB database servers that are not using the latest TLS version for SSL enforcement. As a best practice, use the newer TLS version as the minimum TLS version for the MariaDB database server. Currently, Azure MariaDB supports TLS 1.2 version which resolves the security gap from its preceding versions.
| |
Azure Key vault Private Endpoint Connection is not configured Identifies Key vaults that are not configured with a private endpoint connection. It is recommended to configure Private Endpoint Connection to Key vaults.
| |
Policy Updates—Metadata | The policy name and description have been updated to describe the policy better. Current name— AWS RDS event subscription disabled for DB instance Updated to— AWS RDS Event subscription All event categories and All instances disabled for DB instance Updated description— Identifies AWS RDS event subscriptions for DB instance which has 'All event categories' and 'All instances' as disabled. As a best practice, enable 'All event categories' for 'All instances' to get notified when an event occurs for a DB instance.Impact— No impact on existing alerts. |
Policy Updates—RQL | AWS SNS topic with cross-account access Changes— The RQL has been updated to ignore resources when SNS topic owner is itself.Current RQL—
Updated to—
Impact— Previously generated alerts for resources where SNS topic owner was itself will be resolved as Policy_Updated. |
AWS IAM policy allows full administrative privileges Changes— The RQL has been updated to check only if policy is attached to any user, roles, or groups.Current RQL—
Updated to—
Impact— Previously generated alerts for resources that are not attached to any user, roles, or groups will be resolved as Policy_Updated. | |
GCP Cloud Function HTTP trigger is not secured Changes— The RQL has been modified to generate alerts only for HTTP triggers that are not secure.Current RQL—
Updated to—
Impact— Previously generated alerts associated with non-HTTP triggers will be resolved as Policy_Updated. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Update AWS CIS v1.3.0 and v1.4.0 | The AWS S3 CloudTrail buckets for which access logging is disabled policy has been mapped to AWSCIS v1.3.0 and v1.4.0, section 3.6.Impact— The compliance report score will be impacted because a new mapping has been added. |
REST API Updates
CHANGE | DESCRIPTION |
CSPM Policy API Endpoints This change was first announced in the look ahead that was published with the 22.2.2 release. | If you specify an RQL statement rather than a search ID for the rule.criteria request body parameter, the value of the rule.criteria attribute in the resulting response object will be a UUID and not the RQL itself. This change affects the following API requests:
You can use the UUID with the following requests to determine the corresponding RQL statement:
|