1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Features Introduced in 2022
    7. Features Introduced in March 2022

    Features Introduced in March 2022

    Learn what's new on Prisma™ Cloud in March 2022.

    New Features Introduced in 22.3.2

    New Features

    FEATURE
    DESCRIPTION
    Azure Custom Roles
    Prisma Cloud now gives you the ability to create custom roles which enable you to onboard your cloud accounts with a granular set of permissions and enforce the principle of least privilege.
    When you view the status of
    Cloud Accounts
    , you can now review the details on missing permissions.
    Access Control Settings
    Prisma Cloud now includes a new navigation menu in
    Settings
     called
    Access Control
    . The
    Roles
    ,
    Users
    ,
    Access Keys
    , and
    SSO
     pages have all been consolidated under this location, and are accessible as tabs in the header.
    In addition, an
    Add
     button is now included which handles unified actions across these tabs, enabling you to perform various operations such as creating a role or access key from a single location.
    Automatically Receive Detailed Reports With Email Alerts
    When you configure your alert rules to instantly send emails, a detailed report is automatically included as an attachment.
    API Ingestions
    AWS Storage Gateway
    aws-storage-gateway-cached-volume
    Additional permissions required:
    • storagegateway:ListVolumes
    • storagegateway:DescribeCachediSCSIVolumes
    AWS Storage Gateway
    aws-storage-gateway-tape
    Additional permissions required:
    • storagegateway:ListTapes
    • storagegateway:DescribeTapes
    AWS XRAY
    aws-xray-encryption-config
    Additional permission required:
    xray:GetEncryptionConfig
    Azure Virtual Network
    azure-network-natgateway
    Additional permission required:
    Microsoft.Network/natGateways/read
    Azure Data Catalog
    azure-datacatalog-catalog
    Additional permission required:
    Microsoft.DataCatalog/catalogs/read
    Google Cloud Bigtable
    gcloud-bigtable-instance-cluster-backup-list
    Additional permissions required: 
    • bigtable.backups.list
    • bigtable.backups.getIamPolicy
    Google Cloud Spanner backups
    gcloud-cloud-spanner-instance-backup
    Additional permission required: None
    Google Secrets Manager
    gcloud-secretsmanager-secrets-version
    Additional permission required:
    secretmanager.versions.list
    Google VPC
    gcloud-compute-org-firewall-policy
    Additional permission required:
    compute.firewallPolicies.list
    Google Certificate Authority Service
    gcloud-certificate-authority-ca
    Additional permissions required:
    • privateca.caPools.list
    • privateca.certificateAuthorities.list
    OCI API Management
    oci-apimanagement-apigateway
    Additional permissions required:
    • inspect api-gateways
    • read api-gateways

    New Policies and Policy Updates

    POLICY UPDATES
    DESCRIPTION
    New Policies
    AWS IAM Access analyzer is not configured
    Identifies AWS regions that do not have IAM Access Analyzer configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as IAM roles, that are shared with an external entity so that you can identify unintended access to your resources and data. As a best practice, configure Access Analyzer in all regions of your account.
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-access-analyzer' AND json.rule = status equals ACTIVE as X; config from cloud.resource where api.name = 'aws-region' AND json.rule = optInStatus does not equal not-opted-in as Y; filter '$.X.arn contains $.Y.regionName'; show X; count(X) less than 1
    Azure Spring Cloud app end-to-end TLS is disabled
    Identifies Azure Spring Cloud apps that have end-to-end TLS disabled. Enabling end-to-end TLS and or SSL will secure traffic from ingress controller to apps. After you enable end-to-end TLS and load a certificate from the key vault, all communications within Azure Spring Cloud are secured with TLS. As a best practice, use end-to-end TLS to secure the traffic from Spring Cloud apps.
    config from cloud.resource where api.name = 'azure-spring-cloud-service' AND json.rule = properties.powerState equals Running and sku.tier does not equal Basic as X; config from cloud.resource where api.name = 'azure-spring-cloud-app' AND json.rule = properties.provisioningState equals Succeeded and properties.enableEndToEndTLS is false as Y; filter '$.X.name equals $.Y.serviceName'; show Y;
    Azure Spring Cloud app system-assigned managed identity is disabled
    Identifies Azure Spring Cloud apps that have system assigned managed identity disabled. System assigned managed identity can be used to authenticate any service that supports Azure AD authentication, without having credentials in your code. Storing credentials in code increases the threat surface in case of exploitation which managed identities eliminate the need for. As a best practice, assign system managed identity to your Spring Cloud apps.
    config from cloud.resource where api.name = 'azure-spring-cloud-service' AND json.rule = properties.powerState equals Running as X; config from cloud.resource where api.name = 'azure-spring-cloud-app' AND json.rule = properties.provisioningState equals Succeeded and identity does not exist as Y; filter '$.X.name equals $.Y.serviceName'; show Y;
    GCP API key not restricted to use by specified Hosts and Apps
    Identifies GCP API keys that are not restricted by any specific hosts or apps. Unrestricted keys are insecure because they can be viewed publicly, such as within a browser, or they can be accessed on a device where the key resides. As a best practice, restrict API key usage to trusted hosts, HTTP referrers, and apps.
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-api-key' AND json.rule = (restrictions.browserKeyRestrictions does not exist and restrictions.serverKeyRestrictions does not exist and restrictions.androidKeyRestrictions does not exist and restrictions.iosKeyRestrictions does not exist) or (restrictions.browserKeyRestrictions exists and (restrictions.browserKeyRestrictions[?any(allowedReferrers[*] equals "*")] exists or restrictions.browserKeyRestrictions[?any(allowedReferrers[*] equals "*.[TLD]")] exists or restrictions.browserKeyRestrictions[?any(allowedReferrers[*] equals "*.[TLD]/*")] exists)) or (restrictions.serverKeyRestrictions exists and (restrictions.serverKeyRestrictions[?any(allowedIps[*] equals 0.0.0.0)] exists or restrictions.serverKeyRestrictions[?any(allowedIps[*] equals 0.0.0.0/0)] exists or restrictions.serverKeyRestrictions[?any(allowedIps[*] equals ::/0)] exists or restrictions.serverKeyRestrictions[?any(allowedIps[*] equals ::0)] exists))
    Policy Updates—Metadata
    Azure Network Watcher Network Security Group (NSG) flow logs are disabled
    Changes
    —The policy recommendation has been updated to include end-to-end configuration information. The policy RQL has also been updated to remove
    $
     to be consistent across all RQLs.
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nsg-list' AND json.rule = flowLogsSettings does not exist or flowLogsSettings.enabled is false
    Impact
    —No impact on existing alerts.
    Azure App Service Web app doesn't have a Managed Service Identity
    Changes
    —The policy RQL has been updated to exclude user assigned identities App Service from reporting because, App Service can be assigned with user assigned identities. The policy description and recommendation have also been updated to reflect the changes.
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = kind starts with app and (identity.type does not exist or (identity.type exists and identity.type does not contain SystemAssigned and identity.type does not contain UserAssigned))
    Impact
    —Previously generated alerts for App Services using user assigned identities will be resolved as Policy_Updated.
    AWS RDS instance with copy tags to snapshots disabled
    Changes
    —The policy was reporting false positive alerts for AWS DocumentDB instances as the copyTagsToSnapshot feature was not supported for DocDB. The policy RQL has been updated to ignore docdb engine instances.
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = 'dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb
    Impact
    —Alerts for resources that have a docdb engine instance will be resolved to Policy_Updated.

    Changes in Existing Behavior

    FEATURE
    CHANGE
    CSPM Alert API Rate Limits
    Prisma Cloud continues to enable rate limiting on the API endpoints, in order to ensure availability and scalability of Prisma Cloud APIs. The following API rate limits are implemented for the Alerts API endpoints starting in 22.3.2:
    • GET /v2/alert
      • Request rate limit: 2/sec
      • Burst limit: 10/sec
    • POST /v2/alert
      • Request rate limit: 2/sec
      • Burst limit: 10/sec
    • GET /alert/count/{status}
      • Request rate limit: 2/sec
      • Burst limit: 10/sec
    • GET /alert
      • Request rate limit: 2/sec
      • Burst limit: 10/sec
    • POST /alert
      • Request rate limit: 2/sec
      • Burst limit: 10/sec
    • GET /alert/policy
      • Request rate limit: 1/sec
      • Burst limit: 5/sec
    • POST /alert/policy
      • Request rate limit: 1/sec
      • Burst limit: 5/sec
    • GET /alert/{id}
      • Request rate limit: 5/sec
      • Burst limit: 10/sec
    • POST /alert/jobs
      • Request rate limit: 2/sec
      • Burst limit: 10/sec
    • POST /alert/policy/jobs
      • Request rate limit: 1/sec
      • Burst limit: 5/sec
    Update
     permission in the aws-s3api-get-bucket-acl API
    The
    aws-s3api-get-bucket-acl
    API has been updated to include the following permission:
    s3:GetBucketOwnershipControls
    This enables you to get the default ownership settings for objects in your S3 buckets.

    REST API Updates

    CHANGE
    DESCRIPTION
    CSPM Alert API Rate Limits
    See Changes in Existing Behavior for a description of new CSPM Alert API rate limits.
    Removal of Deprecated IaC Scan API V2
    The deprecated IaC Scan API V2 has been removed. A new Code Security API is available for Infrastructure-as-Code security checks.

    New Features Introduced in 22.3.1

    New Features

    FEATURE
    DESCRIPTION
    License Support in Alarm Center
    Prisma Cloud includes a new
    License
     Alarm Type, which raises an alarm based on the following cases:
    • License Usage
      —An alarm is raised on the last day of the month if your monthly usage is >80% (configurable limit) of the credits purchased.
    • License Expiry
      —An alarm is raised 1 month before your license expires (for non-POC tenants).
    • Module Activation Failure
      —An alarm is raised for any module provisioning failures.
    Update
    Prisma Cloud Data Security—New File Extensions Supported for Malware Scanning
    Prisma Cloud can now scan the following types of file extensions on your storage buckets for malware:
    • .pdf
    • .doc
    • .docx
    • .xls
    • .xlsx
    • .ppt
    • .pptx
    • .docm
    • .dotm
    • .xlm
    • .xlsm
    • .xltm
    • .pptm
    • .potm
    • .ppsm
    Support for New Regions on OCI
    Prisma Cloud now ingests data for resources deployed in the Jerusalem, Marseille, and Singapore cloud regions on OCI.
    To review a list of supported regions, select
    Inventory
    Assets
    , and choose
    Cloud Region
     from the filter drop-down.
    Support for the Abu Dhabi, Milan, Stockholm, and Johannesburg regions is released as a beta.
    API Ingestions
    Amazon Neptune
    aws-neptune-db-cluster-parameter-group
    Additional permissions required:
    rds:DescribeDBClusterParameters
    rds:DescribeDBClusterParameterGroups
    rds:ListTagsForResource
    Amazon QuickSight
    aws-quicksight-account-setting
    Additional permissions required:
    quicksight:DescribeAccountSettings
    Amazon VPC
    aws-ec2-client-vpn-endpoint
    Additional permission required:
    ec2:DescribeClientVpnEndpoints
    Google Certificate Authority Service
    gcloud-certificate-authority-pool
    Additional permissions required:
    privateca.caPools.getIamPolicy
    privateca.caPools.list
    Google Compute Engine
    gcloud-compute-instances-list
    Additional permission required:
    compute.instances.getIamPolicy
    Google Compute Engine
    gcp-compute-disk-list
    Additional permission required:
    compute.disks.getIamPolicy
    Google Cloud IAM
    gcloud-iam-workload-identity-provider
    Additional permission required:
    iam.workloadIdentityPoolProviders.list
    Google Cloud IAM
    gcloud-iam-workload-identity-pool
    Additional permission required:
    iam.workloadIdentityPools.list
    The IAM Workload Identity Prisma Cloud APIs provide only the workload identity pools and providers created under Workload Identity Federation as part of the IAM service.
    Refer to
    api - gcloud-container-describe-clusters
     for Workload Identity Configuration details of GKE Clusters.
    OCI Web Application Firewall
    oci-waf-webappfirewallpolicy
    Additional permissions required:
    Allow group ${oci_identity_group.group.name} to inspect waf-policy in tenancy
    Allow group ${oci_identity_group.group.name} to read waf-policy in tenancy
    Update
    Azure Service Bus
    azure-service-bus-namespace
    This API has been updated to show the following new fields in the resource JSON:
    publicNetworkAccess
    disableLocalAuth

    New Policies and Policy Updates

    POLICY UPDATES
    DESCRIPTION
    New Policies
    Azure MariaDB database server with SSL connection disabled
    Identifies MariaDB database servers for which SSL enforce status is disabled. It is recommended to enforce SSL for accessing your database server.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-database-maria-db-server' AND json.rule = properties.userVisibleState equals Ready and properties.sslEnforcement equals Disabled
    Azure MariaDB database server not using latest TLS version
    Identifies Azure MariaDB database servers that are not using the latest TLS version for SSL enforcement. As a best practice, use the newer TLS version as the minimum TLS version for the MariaDB database server. Currently, Azure MariaDB supports TLS 1.2 version which resolves the security gap from its preceding versions.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-database-maria-db-server' AND json.rule = properties.userVisibleState equals Ready and properties.sslEnforcement equals Enabled and properties.minimalTlsVersion does not equal TLS1_2
    Azure Key vault Private Endpoint Connection is not configured
    Identifies Key vaults that are not configured with a private endpoint connection. It is recommended to configure Private Endpoint Connection to Key vaults.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-key-vault-list' AND json.rule = properties.provisioningState equals Succeeded and properties.privateEndpointConnections[*] does not exist
    Policy Updates—Metadata
    The policy name and description have been updated to describe the policy better.
    Current name
    AWS RDS event subscription disabled for DB instance
    Updated to
    AWS RDS Event subscription All event categories and All instances disabled for DB instance
    Updated description
    —Identifies AWS RDS event subscriptions for DB instance which has 'All event categories' and 'All instances' as disabled. As a best practice, enable 'All event categories' for 'All instances' to get notified when an event occurs for a DB instance.
    Impact
    —No impact on existing alerts.
    Policy Updates—RQL
    AWS SNS topic with cross-account access
    Changes
    —The RQL has been updated to ignore resources when SNS topic owner is itself.
    Current RQL
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS does not equal * and Principal does not equal * and Principal.AWS contains arn))] exists
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS does not equal * and Principal does not equal * and Principal.AWS contains arn and Principal.AWS does not contain $.Owner))] exists
    Impact
    —Previously generated alerts for resources where SNS topic owner was itself will be resolved as Policy_Updated.
    AWS IAM policy allows full administrative privileges
    Changes
    —The RQL has been updated to check only if policy is attached to any user, roles, or groups.
    Current RQL
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = 'document.Statement[?any(Action equals * and Resource equals * and Effect equals Allow)] exists and (policyArn exists and policyArn does not contain iam::aws:policy/AdministratorAccess)'
    Updated to
    cconfig from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Action anyStartWith * and Resource equals * and Effect equals Allow)] exists and (policyArn exists and policyArn does not contain iam::aws:policy/AdministratorAccess)
    Impact
    —Previously generated alerts for resources that are not attached to any user, roles, or groups will be resolved as Policy_Updated.
    GCP Cloud Function HTTP trigger is not secured
    Changes
    —The RQL has been modified to generate alerts only for HTTP triggers that are not secure.
    Current RQL
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-function' AND json.rule = status equals ACTIVE and httpsTrigger.securityLevel does not equal SECURE_ALWAYS
    Updated to
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-function' AND json.rule = status equals ACTIVE and httpsTrigger exists and httpsTrigger.securityLevel does not equal SECURE_ALWAYS
    Impact
    —Previously generated alerts associated with non-HTTP triggers will be resolved as Policy_Updated.

    New Compliance Benchmarks and Updates

    COMPLIANCE BENCHMARK
    DESCRIPTION
    Update
    AWS CIS v1.3.0 and v1.4.0
    The
    AWS S3 CloudTrail buckets for which access logging is disabled
     policy has been mapped to AWSCIS v1.3.0 and v1.4.0, section 3.6.
    Impact
    —The compliance report score will be impacted because a new mapping has been added.

    REST API Updates

    CHANGE
    DESCRIPTION
    CSPM Policy API Endpoints
    This change was first announced in the look ahead that was published with the 22.2.2 release.
    If you specify an RQL statement rather than a search ID for the
    rule.criteria
     request body parameter, the value of the
    rule.criteria
     attribute in the resulting response object will be a UUID and not the RQL itself. This change affects the following API requests:
    • POST /policy
    • PUT /policy/{id}
    You can use the UUID with the following requests to determine the corresponding RQL statement:
    • GET /search/history
      where the response object includes both the UUID and RQL
    • GET /search/history/{UUID}

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo