Features Introduced in May 2022
Learn what's new on Prisma™ Cloud in May 2022.
New Features Introduced in 22.5.2
New Features
FEATURE | DESCRIPTION |
---|---|
Burndown Widgets in Adoption Advisor | The Adoption Advisor now includes
two new widgets for risk and incident burndown. These widgets
show you the number of high severity misconfigurations or risks
and incidents detected in your cloud environment, and your team’s
progress on remediating these issues. The count of remediated risks
and incidents includes alerts that are in the resolve, dismiss,
or snoozed states. ![]() |
API Ingestions | Amazon EKS aws-eks-node-group Additional
permissions required:
|
Amazon Batch aws-batch-compute-environment Additional
permission required:
| |
Amazon Lake Formation aws-lake-formation-setting Additional
permission required:
| |
Azure App Service azure-app-service-domain Additional
permission required:
| |
Azure App Service azure-app-service-environment Additional
permission required:
| |
Azure App Service azure-app-service-plan Additional
permission required:
| |
Azure Compute azure-vm-start-time No
new permissions, the Reader role includes the required permissions. | |
Google Stackdriver Logging gcloud-logging-bucket Additional
permission required:
| |
Google Network Intelligence Center gcloud-network-intelligence-center-firewall-insight Additional
permission required:
| |
Google Managed Microsoft AD gcloud-managed-microsoft-ad-domain Additional
permissions required:
| |
OCI Data Flow oci-dataflow-applications Additional
permissions required:
This
API is not supported in ap-hyderabad-1 region. | |
OCI Streaming oci-streaming-streampools Additional
permissions required:
| |
OCI Streaming oci-streaming-streams Additional
permissions required:
| |
Update Azure Storage azure-storage-account-list This
API has been updated to show the following new field in the resource
JSON:
Azure
Advanced threat protection settings are not supported in Azure China. | |
Update gcloud-storage-buckets-list
API ingestion | For new ingestion of this API, the metadata
will no longer include the timeCreated attribute
for the bucket. In RQL, the key will not be available in the json.rule
attribute for auto completion and you cannot define custom policies
based on this key. If you have any saved searches including the timeCreated attribute,
they will now not return resources. |
New Policies and Policy Updates
See the look ahead updates for
planned changes and policy updates in 22.6.1.
POLICY UPDATES | DESCRIPTION |
---|---|
New Policies | Azure Virtual Desktop session
host is not configured with managed identity Identifies
Virtual Desktop session hosts that are not configured with managed
identity. Managed identity can be used to authenticate to any service
that supports Azure AD authentication, without having credentials
in your code. Storing credentials in a code increases the threat
surface in case of exploitation and also managed identities eliminate
the need for developers to manage credentials. So as a security
best practice, it is recommended to have the managed identity to your
Virtual Desktop session hosts.
|
AWS IAM Policy permission may
cause privilege escalation Identifies AWS IAM
Policy which have permission that may cause privilege escalation. AWS
IAM policy having weak permissions could be exploited by an attacker
to elevate privileges. It is recommended to follow the principle
of least privileges ensuring that AWS IAM policy does not have these
sensitive permissions.
| |
Azure Spring Cloud service is
not configured with virtual network Identifies
Azure Spring Cloud services that are not configured with a virtual
network. Spring Cloud configured with a virtual network isolates
apps and service runtime from the internet on your corporate network
and provides control over inbound and outbound network communications
for Azure Spring Cloud. As best security practice, it is recommended
to deploy Spring Cloud service in a virtual network.
| |
Policy Updates—RQL | GCP Firewall rule allows all
traffic on HTTP port (80) Changes —The RQL
is modified to check if the firewall rule is disabled and includes
IPv6 check. The remediation CLI is modified to disable the vulnerable
firewall rule instead of deleting it.Additional permissions
required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low. |
GCP Firewall rule allows all
traffic on Telnet port (23) Changes —The
RQL is modified to check if the firewall rule is disabled and includes
IPv6 check. The remediation CLI is modified to disable the vulnerable
firewall rule instead of deleting it.Additional permissions
required:
Current
RQL —
Updated
RQL —
Updated
CLI —
Impact —Low
impact on new alerts that were generated based on IP checks included
in the updated RQL. |
REST API Updates
CHANGE | DESCRIPTION |
---|---|
Last Updated Timestamps for List Alert
V2 API | The lastUpdated attribute
is now added to the List Alerts V2 response for the POST /v2/alert endpoint.This
attribute contains a timestamp to indicate when an alert was last
updated. It also includes a timestamp for resource updates, policy
updates, alert rule updates, alert status changes, and so on. |
New Features Introduced in 22.5.1
New Features
FEATURE | DESCRIPTION |
---|---|
Update Onboarding Cloud Accounts
UI | The cloud accounts onboarding has an updated
UI and Prisma Cloud displays the onboarding information in a new
and improved way. ![]() |
resource.state RQL Attribute | You can now use the optional source/dest.resource.state RQL
attribute to find resources that are active, for example an EC2
instance that has state as running or inactive or an EC2 instance
that has state as stopped on Prisma Cloud. The available values
are Active or Inactive.For example:
When source/dest.resource.state is
not specified in the query, then the RQL query displays both Active
and Inactive resources in the result. |
Change in Existing Behavior Resolve
Undeletes for Google Cloud Resources | All the resources for gcloud-container-describe-clusters , gcloud-compute-nat ,
and gcloud-iam-service-accounts-list will
be deleted once and then regenerated on the management console. Existing
alerts corresponding to these resources will be resolved as Resource_Updated and
new alerts will be generated against policy violations. |
API Ingestions | Amazon ECR aws-ecr-registry-scanning-configuration Additional
permission required:
|
AWS ACM Private Certificate Authority aws-acm-pca-certificate-authority Additional
permissions required:
| |
Azure Data Box Gateway azure-databox-gateway Additional
permission required:
| |
Azure Availability Sets azure-vm-availability-set Additional
permission required:
| |
Azure Notification Hubs azure-notification-hub-namespace Additional
permission required:
| |
Azure Notification Hubs azure-notification-hub Additional
permission required:
| |
Azure Local Network Gateways azure-local-network-gateways Additional
permission required:
| |
Azure NetApp Files azure-netappfiles-account Additional
permission required:
| |
Azure Database for PostgreSQL azure-postgresql-flexible-server Additional
permissions required:
| |
Azure Database for MySQL azure-mysql-flexible-server Additional
permissions required:
| |
OCI IAM oci-iam-identityproviders Additional
permission required:
| |
Google Essential Contacts gcloud-essential-contacts-project-contact Additional
permission required:
| |
Google Service Directory gcloud-service-directory-namespace Additional
permissions required:
| |
Google Organization Policy gcloud-organization-policy-project-constraint Additional
permissions required:
| |
Google Access Approval gcloud-access-approval-org-approval-setting Additional
permission required:
| |
Change in Existing Behavior gcloud-compute-internal-lb-backend-service
API Ingestion | Prisma Cloud displays the gcloud-compute-internal-lb-backend-service region
on the Investigate page. This change will cause a
one-time delete of resources and alerts, which will be re-opened. |
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
---|---|
New Policies | AWS IAM policy overly permissive
to Lambda service Identifies the IAM policies
that are overly permissive to Lambda service. AWS provides serverless
computational functionality through their Lambda service. Serverless
functions allow organizations to run code for applications or backend
services without provisioning virtual machines or management servers.
It is recommended to follow the principle of least privileges, ensuring
that only restricted Lambda services for restricted resources.
|
AWS Lambda IAM policy overly
permissive to all traffic Identifies AWS Lambda
IAM policies that are overly permissive to all traffic. It is recommended
that the Lambda should be granted access restrictions so that only authorized
users and applications have access to the service.
| |
AWS Lambda function communicating
with ports known to mine Monero Identifies AWS
Lambda function which are communicating with ports known to mine Monero.
AWS Lambda functions when infected with Denonia malware installs
a XMRig mining software which is used for minning Monero. It is highly
recommended to restrict Lambda function to known hosts or services
only.
| |
AWS RDS PostgreSQL exposed to
local file read vulnerability Identifies AWS RDS
PostgreSQL which are exposed to local file read vulnerability. AWS RDS
PostgreSQL installed with vulnerable 'log_fdw' extension is exposed
to local file read vulnerability, due to which attacker could gain access
to local system files of the database instance within their account,
including a file which contained credentials specific to PostgreSQL.
It is highly recommended to upgrade AWS RDS PostgreSQL to the latest version.
| |
AWS Aurora PostgreSQL exposed
to local file read vulnerability Identifies AWS
Aurora PostgreSQL which are exposed to local file read vulnerability.
AWS Aurora PostgreSQL installed with vulnerable 'log_fdw' extension
is exposed to local file read vulnerability, due to which attacker
could gain access to local system files of the database instance
within their account, including a file which contained credentials
specific to Aurora PostgreSQL. It is highly recommended to upgrade
AWS Aurora PostgreSQL to the latest version.
| |
Azure Recovery Services vault
is not configured with managed identity Identifies
Recovery Services vaults that are not configured with managed identity. Managed
identity can be used to authenticate to any service that supports
Azure AD authentication, without having credentials in your code.
Storing credentials in a code increases the threat surface in case
of exploitation and also managed identities eliminate the need for
developers to manage credentials. So as a security best practice,
it is recommended to have the managed identity to your Recovery
Services vault.
| |
GCP Firewall rule exposes GKE
clusters by allowing all traffic on port 10250 Identifies
GCP Firewall rule allowing all traffic on port 10250 which allows
GKE full node access. The port 10250 on the kubelet is used by the
kube-apiserver (running on hosts labeled as Orchestration Plane)
for exec and logs. As per security best practice, port 10250 should
not be exposed to the public.
Permissions
required to run the CLI:
| |
Policy Updates—RQL | AWS Network Load Balancer (NLB)
is not using the latest predefined security policy Changes —AWS
updated the recommended security policy for network load balancer
configured with TLS. Due to this change, the policy RQL, description,
and recommendation steps have been updated accordingly.Updated Description —Identifies
Network Load Balancers (NLBs) are not using the latest predefined
security policy. A security policy is a combination of protocols
and ciphers. The protocol establishes a secure connection between
a client and a server and ensures that all data passed between the
client and your load balancer is private. A cipher is an encryption
algorithm that uses encryption keys to create a coded message. It
is recommended to use the latest predefined security policy which
uses only secured protocol and ciphers.It is recommended
to use ELBSecurityPolicy-TLS13-1-0-2021-06 policy if you require
Forward Secrecy (FS) and use ELBSecurityPolicy-2016-08 policy to
meet compliance and security standards that require disabling certain
TLS protocol versions or to support legacy clients that require
deprecated ciphers. Current RQL —
Updated
RQL —
Impact —Medium.
The alerts for resources which had older security policy will be
resolved as ‘Policy_Updated’ and new alerts will be created if the
security policy for network load balancer configured with TLS is not
the same as recommended by AWS. |
GCP User managed service accounts
have user managed service account keys Changes —The
policy RQL is updated to exclude Prisma-cloud specific service account
and the description is modified based on the updated RQL.Updated Description —Identifies
user managed service accounts that use user managed service account
keys instead of Google-managed. For user-managed keys, the User
has to take ownership of key management activities. Even after owner
precaution, keys can be easily leaked by common development malpractices like
checking keys into the source code or leaving them in downloads
directory or accidentally leaving them on support blogs/channels.
It is recommended to limit the use of User-managed service account
keys and instead use Google-managed keys which can not be downloaded.This
policy might alert the service accounts which are not created using Terraform
for cloud account onboarding. These alerts are valid because no
user-managed service account should be used for cloud account onboarding. Current
RQL —
Updated
RQL —
Impact —Medium.
The RQL modification will resolve alerts associated with Prisma-cloud
specific service accounts. | |
Policy Updates—Metadata | AWS EMR cluster is not enabled
with local disk encryption using CMK Changes —The
policy name and description are updated.Current Name —AWS
EMR cluster is not enabled with local disk encryption using CMKUpdated
Name —AWS EMR cluster is not enabled with local disk encryption using
Custom key providerUpdated Description —Identifies
AWS EMR clusters that are not enabled with local disk encryption
using Custom key provider. Applications using the local file system
on each cluster instance for intermediate data throughout workloads,
where data could be spilled to disk when it overflows memory. With Local
disk encryption at place, data at rest can be protected.Impact —No
impact on existing alerts. |
Azure Policies Changes —The recommendations
steps for the following policies are updated as per the Azure UI changes:
Impact —No impact on existing
alerts. | |
Policy Deletions | Azure Policies Changes —The
following policies are deleted because the Setting feature is no
longer available in the Azure UI:
Impact —Previously generated
alerts will be resolved as Policy_Deleted.The compliance
mapping for the above listed policies is removed due to which the compliance
score can get affected. The affected compliance standards are: APRA,
CMMC_1_02, CSA_CCM_V4, HITRUST942, ISO_27002_2013, ISO_27017_2015,
LGPD, NIST_800_171R2, NIST_800_172, NIST_800_53_R4_AZU_LEG, NIST_800_53_R5_AZURE,
NIST_CSF_V_1_1, PCIDSS_321, AZURE_CCPA, AZURE_PIPEDA, MLPS20_AZURE,
AZURE_CSA_CCM_V301, AZURE_HITRUST_V93, AZURE_NIST_CSF, AZURE_SOC2,
CIS_AZURE_120, CIS_AZURE_V1.1, ISO_27018_2019 Impact —Low
impact on existing alerts. |
Recommended For You
Recommended Videos
Recommended videos not found.