Features Introduced in March 2022
Learn what's new on Prisma™ Cloud in March 2022.
New Features Introduced in 22.3.2
New Features
FEATURE | DESCRIPTION |
---|---|
Azure Custom Roles | Prisma Cloud now gives you the ability to create custom roles which enable
you to onboard your cloud accounts with a granular set of permissions
and enforce the principle of least privilege. When you view
the status of Cloud Accounts , you can now
review the details on missing permissions.![]() |
Access Control Settings | Prisma Cloud now includes a new navigation
menu in Settings called Access
Control . The Roles , Users , Access
Keys , and SSO pages have all been
consolidated under this location, and are accessible as tabs in
the header.In addition, an Add button
is now included which handles unified actions across these tabs,
enabling you to perform various operations such as creating a role
or access key from a single location.![]() |
Automatically Receive Detailed Reports
With Email Alerts | When you configure your alert rules to instantly send emails,
a detailed report is automatically included as an attachment. |
API Ingestions | AWS Storage Gateway aws-storage-gateway-cached-volume Additional
permissions required:
|
AWS Storage Gateway aws-storage-gateway-tape Additional
permissions required:
| |
AWS XRAY aws-xray-encryption-config Additional
permission required:
| |
Azure Virtual Network azure-network-natgateway Additional
permission required:
| |
Azure Data Catalog azure-datacatalog-catalog Additional
permission required:
| |
Google Cloud Bigtable gcloud-bigtable-instance-cluster-backup-list Additional
permissions required:
| |
Google Cloud Spanner backups gcloud-cloud-spanner-instance-backup Additional
permission required: None | |
Google Secrets Manager gcloud-secretsmanager-secrets-version Additional
permission required:
| |
Google VPC gcloud-compute-org-firewall-policy Additional
permission required:
| |
Google Certificate Authority
Service gcloud-certificate-authority-ca Additional
permissions required:
| |
OCI API Management oci-apimanagement-apigateway Additional
permissions required:
|
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
---|---|
New Policies | AWS IAM Access analyzer is not
configured Identifies AWS regions that do not
have IAM Access Analyzer configured. AWS IAM Access Analyzer helps
you identify the resources in your organization and accounts, such
as IAM roles, that are shared with an external entity so that you
can identify unintended access to your resources and data. As a
best practice, configure Access Analyzer in all regions of your
account.
|
Azure Spring Cloud app end-to-end
TLS is disabled Identifies Azure Spring Cloud
apps that have end-to-end TLS disabled. Enabling end-to-end TLS
and or SSL will secure traffic from ingress controller to apps.
After you enable end-to-end TLS and load a certificate from the
key vault, all communications within Azure Spring Cloud are secured
with TLS. As a best practice, use end-to-end TLS to secure the traffic
from Spring Cloud apps.
| |
Azure Spring Cloud app system-assigned
managed identity is disabled Identifies Azure
Spring Cloud apps that have system assigned managed identity disabled.
System assigned managed identity can be used to authenticate any
service that supports Azure AD authentication, without having credentials
in your code. Storing credentials in code increases the threat surface in
case of exploitation which managed identities eliminate the need
for. As a best practice, assign system managed identity to your
Spring Cloud apps.
| |
GCP API key not restricted to
use by specified Hosts and Apps Identifies GCP
API keys that are not restricted by any specific hosts or apps. Unrestricted
keys are insecure because they can be viewed publicly, such as within
a browser, or they can be accessed on a device where the key resides.
As a best practice, restrict API key usage to trusted hosts, HTTP referrers,
and apps.
| |
Policy Updates—Metadata | Azure Network Watcher Network
Security Group (NSG) flow logs are disabled Changes —The
policy recommendation has been updated to include end-to-end configuration
information. The policy RQL has also been updated to remove $ to
be consistent across all RQLs.Updated RQL —
Impact —No
impact on existing alerts. |
Azure App Service Web app doesn't
have a Managed Service Identity Changes —The
policy RQL has been updated to exclude user assigned identities
App Service from reporting because, App Service can be assigned
with user assigned identities. The policy description and recommendation
have also been updated to reflect the changes.Updated
RQL —
Impact —Previously generated
alerts for App Services using user assigned identities will be resolved
as Policy_Updated. | |
AWS RDS instance with copy tags
to snapshots disabled Changes —The policy
was reporting false positive alerts for AWS DocumentDB instances
as the copyTagsToSnapshot feature was not supported for DocDB. The
policy RQL has been updated to ignore docdb engine instances.Current —
Updated
to —
Impact —Alerts
for resources that have a docdb engine instance will be resolved
to Policy_Updated. |
Changes in Existing Behavior
FEATURE | CHANGE |
---|---|
CSPM Alert API Rate Limits | Prisma Cloud continues to enable rate limiting
on the API endpoints, in order to ensure availability and scalability
of Prisma Cloud APIs. The following API rate limits are implemented
for the Alerts API endpoints starting in 22.3.2:
|
Update permission in the aws-s3api-get-bucket-acl API | The aws-s3api-get-bucket-acl API
has been updated to include the following permission:
This
enables you to get the default ownership settings for objects in
your S3 buckets. |
REST API Updates
CHANGE | DESCRIPTION |
---|---|
CSPM Alert API Rate Limits | See Changes in Existing Behavior for a description
of new CSPM Alert API rate limits. |
Removal of Deprecated IaC Scan API V2 | The deprecated IaC Scan API V2 has been
removed. A new Code Security API is available
for Infrastructure-as-Code security checks. |
New Features Introduced in 22.3.1
New Features
FEATURE | DESCRIPTION |
---|---|
License Support in Alarm Center | Prisma Cloud includes a new License Alarm
Type, which raises an alarm based on the following cases:
![]() ![]() |
Update Prisma Cloud Data Security—New
File Extensions Supported for Malware Scanning | Prisma Cloud can now scan the following types
of file extensions on your storage buckets for malware:
|
Support for New Regions on OCI | Prisma Cloud now ingests data for resources
deployed in the Jerusalem, Marseille, and Singapore cloud regions
on OCI. To review a list of supported regions, select Inventory Assets Cloud Region from the filter drop-down.![]() Support
for the Abu Dhabi, Milan, Stockholm, and Johannesburg regions is
released as a beta. |
API Ingestions | Amazon Neptune aws-neptune-db-cluster-parameter-group Additional
permissions required:
|
Amazon QuickSight aws-quicksight-account-setting Additional
permissions required:
| |
Amazon VPC aws-ec2-client-vpn-endpoint Additional
permission required:
| |
Google Certificate Authority
Service gcloud-certificate-authority-pool Additional
permissions required:
| |
Google Compute Engine gcloud-compute-instances-list Additional
permission required:
| |
Google Compute Engine gcp-compute-disk-list Additional
permission required:
| |
Google Cloud IAM gcloud-iam-workload-identity-provider Additional
permission required:
| |
Google Cloud IAM gcloud-iam-workload-identity-pool Additional
permission required:
The
IAM Workload Identity Prisma Cloud APIs provide only the workload identity
pools and providers created under Workload Identity Federation as
part of the IAM service. Refer to api - gcloud-container-describe-clusters for
Workload Identity Configuration details of GKE Clusters. | |
OCI Web Application Firewall oci-waf-webappfirewallpolicy Additional
permissions required:
| |
Update Azure Service
Bus azure-service-bus-namespace This
API has been updated to show the following new fields in the resource
JSON:
|
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
---|---|
New Policies | Azure MariaDB database server
with SSL connection disabled Identifies MariaDB
database servers for which SSL enforce status is disabled. It is recommended
to enforce SSL for accessing your database server.
|
Azure MariaDB database server
not using latest TLS version Identifies Azure
MariaDB database servers that are not using the latest TLS version
for SSL enforcement. As a best practice, use the newer TLS version
as the minimum TLS version for the MariaDB database server. Currently,
Azure MariaDB supports TLS 1.2 version which resolves the security
gap from its preceding versions.
| |
Azure Key vault Private Endpoint
Connection is not configured Identifies Key vaults
that are not configured with a private endpoint connection. It is
recommended to configure Private Endpoint Connection to Key vaults.
| |
Policy Updates—Metadata | The policy name and description have been
updated to describe the policy better. Current name —AWS
RDS event subscription disabled for DB instance Updated to —AWS
RDS Event subscription All event categories and All instances disabled
for DB instance Updated description —Identifies
AWS RDS event subscriptions for DB instance which has 'All event
categories' and 'All instances' as disabled. As a best practice,
enable 'All event categories' for 'All instances' to get notified when
an event occurs for a DB instance.Impact —No impact
on existing alerts. |
Policy Updates—RQL | AWS SNS topic with cross-account
access Changes —The RQL has been updated
to ignore resources when SNS topic owner is itself.Current
RQL —
Updated
to —
Impact —Previously generated
alerts for resources where SNS topic owner was itself will be resolved
as Policy_Updated. |
AWS IAM policy allows full administrative privileges Changes —The
RQL has been updated to check only if policy is attached to any
user, roles, or groups.Current RQL —
Updated
to —
Impact —Previously generated
alerts for resources that are not attached to any user, roles, or
groups will be resolved as Policy_Updated. | |
GCP Cloud Function HTTP trigger
is not secured Changes —The RQL has been modified
to generate alerts only for HTTP triggers that are not secure.Current
RQL —
Updated
to —
Impact —Previously generated
alerts associated with non-HTTP triggers will be resolved as Policy_Updated. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
---|---|
Update AWS CIS v1.3.0 and v1.4.0 | The AWS S3 CloudTrail buckets
for which access logging is disabled policy has been
mapped to AWSCIS v1.3.0 and v1.4.0, section 3.6.Impact —The
compliance report score will be impacted because a new mapping has
been added. |
REST API Updates
CHANGE | DESCRIPTION |
---|---|
CSPM Policy API Endpoints This
change was first announced in the look ahead that was published
with the 22.2.2 release. | If you specify an RQL statement rather than
a search ID for the rule.criteria request body
parameter, the value of the rule.criteria attribute in
the resulting response object will be a UUID and not the RQL itself.
This change affects the following API requests:
You can
use the UUID with the following requests to determine the corresponding
RQL statement:
|
Recommended For You
Recommended Videos
Recommended videos not found.