Features Introduced in November 2022
Learn what’s new on Prisma™ Cloud in November 2022.
New Features Introduced in 22.11.1
New Features
FEATURE | DESCRIPTION |
Prisma Cloud launches new Home Page | As a system administrator, you have a new Home page when you log in to Prisma Cloud. This page provides instant access to the critical issues, latest information, and recommendations for next steps. Use this page as a launch pad to:
![]() |
Anomaly Policies for AWS DNS Activity | On Policies and Alerts Overview Policy Subtype for DNS displays.![]() The two new policies that use information in DNS logs for your AWS cloud accounts to detect anomalies are:
When you enable DNS log ingestion, and add the DNS anomaly policies to an alert rule, alerts for DNS anomaly policies are triggered. These new anomaly policies generate alerts when they detect suspicious domains in DNS queries. With the addition of these policies, you also have the ability to specify a Domain Name in an anomaly trusted list to suppress alerts. For the domain names that are added to this trusted list, the DNS anomaly policies will not generate alerts. |
Ingestion of AWS DNS Logs from Amazon Kinesis Data Firehose | DNS logs provide critical data in detecting threats such as, Cryptomining pools, domain generation algorithms (DGAs), and DNS rebinding. Prisma Cloud fetches DNS logs for accounts that are streamed on Amazon Kinesis Data Firehose in a logging account on AWS. After you enable DNS log ingestion on Prisma Cloud, all requests made to AWS default DNS resolvers are logged while DNS queries made to external servers or DNS servers not managed by AWS are not logged. Logging is enabled per VPC. |
IAM Access Control for Service Principals Update | Ensure applications, hosted services, and automated tools securely access your Azure cloud resources with IAM access control for service principals. Assign permissions to the external service or service principal and enforce the appropriate level of access control. Like access control for individual users, service principals can be queried and alerts can be created for application registration and remediation. Use the App Registration value for source.cloud.resource.type and Service Principal in the grantedby.cloud.entity.type in your IAM queries to query service principals. |
Support for Azure Tenant Prisma Cloud Data Security | You can now enable Data Security on your Azure tenant and configure data security for all the subscriptions under that tenant. You can set up Forward and Backward scan to scan your Azure resources for data security issues and also choose custom scan or choose to scan all objects in your tenants. ![]() |
Timestamp based on Resource Ingestion for Time Range Filters Update | On the Data Dashboard and Inventory pages, when you used the Time Range filter the timestamp displayed was based on when the resource was created in the cloud account. For improved accuracy, the timestamp displayed is now based on when the resource was ingested. |
API Ingestions
SERVICE | API DETAILS |
AWS Cloud9 | aws-cloud9-environment Additional permissions required:
The Security Audit role includes the permissions except . You must add the permission manually or use CFT template to update the permission. |
AWS WorkSpaces Bundle | aws-workspace-bundle Additional permissions required:
The Security Audit role includes the permissions. This API will not ingest public bundles. You can only retrieve bundles that belong to your account. |
AWS WorkSpaces | aws-workspace-ip-group Additional permissions required:
The Security Audit role includes the permissions. |
Azure Attestation | azure-attestation-providers Additional permission required:
The Reader role includes the permission. |
Azure Blueprint | azure-blueprints-list Additional permission required:
The Reader role includes the permission. |
Azure Confluent | azure-confluent-organizations Additional permission required:
The Reader role includes the permission. |
Azure Datadog | azure-datadog-monitors Additional permission required:
The Reader role includes the permission. |
Azure Dev Center | azure-dev-centers Additional permission required:
The Reader role includes the permission. |
Azure Elastic | azure-elastic-monitors Additional permission required:
The Reader role includes the permission. |
Azure Event Grid | azure-event-grid-topic Additional permission required:
The Reader role includes the permission. |
Azure Managed Services | azure-managedservices-registration-assignments Additional permission required:
The Reader role includes the permission. |
Azure Storage | azure-storage-file-shares Additional permission required:
The Reader role includes the permission. |
Azure Storage Mover | azure-storage-movers Additional permission required:
The Reader role includes the permission. |
Azure Workloads | azure-workloads-monitors Additional permission required:
The Reader role includes the permission. |
Azure Virtual Network | azure-network-service-endpoint-policy Additional permissions required:
The Reader role includes the permissions. |
Google Datastream | gcloud-datastream-connection-profile Additional permissions required:
The Viewer role includes the permissions. |
Google Datastream | gcloud-datastream-private-connection Additional permissions required:
The Viewer role includes the permissions. |
Google Datastream | gcloud-datastream-stream Additional permissions required:
The Viewer role includes the permissions. |
Google VPC | gcloud-compute-project-firewall-policy Additional permission required:
The Viewer role includes the permission. |
New Policies
NEW POLICIES | DESCRIPTION |
GCP Identity-Aware Proxy (IAP) not enabled for External HTTP(s) Load Balancer | Identifies GCP External HTTP(s) Load Balancers for which Identity-Aware Proxy (IAP) is disabled. IAP is used to enforce access control policies for applications and resources. It works with signed headers or the App Engine standard environment Use API to secure connections to External HTTP(s) Load Balancers. Enabling Identity-Aware Proxy for securing the External HTTP(s) Load Balancers is recommended.
|
GCP API key is created for a project | Identifies GCP projects where API keys are created. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. To avoid this API related security risk, we recommended using standard authentication flow.
|
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates—RQL | |
AWS VPC endpoint policy is overly permissive | Changes— The policy RQL has been updated to check for only VPC Gateway Endpoints. Also, the policy name, description, and recommendation steps have been updated.Current Name— AWS VPC endpoint policy is overly permissive disabledUpdated Name— AWS VPC gateway endpoint policy is overly permissiveUpdated Description— Identifies VPC gateway endpoints that have a VPC endpoint (VPCE) policy that is overly permissive. When the Principal element value is set to '*' within the access policy, the VPC gateway endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts. It is highly recommended to have the least privileged VPCE policy to protect the data leakage and unauthorized access.Current RQL—
Updated RQL—
Impact— Medium. Existing open alerts related to VPC Endpoint’s other than Gateway will be resolved and resolution status will be updated as Policy_Updated. |
AWS RDS minor upgrades not enabled | Changes— The policy RQL has been updated to check if the RDS DB instances are in the “available” state.Current RQL—
Updated RQL—
Impact— Medium. Existing open alerts related to RDS instances which are not in the available state will be resolved and resolution status will be updated as Policy_Updated. |
Azure AKS cluster pool profile count contains less than 3 nodes | Changes— The policy RQL has been updated with new syntax to increase accuracy and the remediation details are updated to reflect the CSP UI changes.Updated Description— Identifies AKS clusters that are configured with node pool profile less than 3 nodes. It is recommended to have at least 3 or more than 3 nodes in a node pool for a more resilient cluster. (Clusters smaller than 3 may experience downtime during upgrades.)Current RQL—
Updated RQL—
Impact— Low. The alerts generated for stopped resources are resolved with resolution status as Policy_Updated. |
Azure Front Door does not have the Azure Web application firewall (WAF) enabled | Changes— The policy RQL has been updated to provide more accuracy in alert results.Current RQL—
Updated RQL—
Impact— Low. The alerts are resolved with resolution status as Policy_Updated. |
Azure SQL Database with Auditing Retention less than 90 days | Changes— The policy RQL and recommendation steps have been updated to exclude Log Analytics and Event Hubs, as retention periods are not configurable.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts for SQL databases configured with Log Analytics and Event hubs auditing will be resolved as Policy_Updated. |
GCP PostgreSQL instance database flag log_statement is not set appropriately | Changes— The policy RQL has been enhanced to resolve false alerts by changing the contain operator to equals. Due to this, collision with similar flag names such as log_statement_stats will be avoided.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts due to collision with similar flag names will be resolved as Policy_Updated. |
GCP Kubernetes Engine Clusters have binary authorization disabled | Changes— The policy RQL has been updated to match CSP data. The datapoint binaryAuthorization.enabled is deprecated and replaced by binaryAuthorization.evaluationMode and the remediation CLI is removed since no single CLI command is available to update both Zonal and Regional GKE clusters.Current RQL—
Updated RQL—
Impact— High. Previously generated alerts will be resolved as Policy_Updated and new alerts will be generated for existing resources. Also, no remediation support will be available for this policy. |
Policy Updates—Metadata | |
AWS S3 bucket accessible to unmonitored cloud accounts | Changes— The policy recommendation steps have been updated to specify that cloud accounts monitored by Prisma Cloud should be added to the S3 bucket ACL.Impact— No impact on alerts. |
Azure AKS cluster Azure CNI networking not enabled | Changes— The policy recommendation steps have been updated.Impact— No impact on alerts. |
Azure AKS cluster monitoring not enabled | Changes— The policy recommendation steps have been updated.Impact— No impact on alerts. |
Azure AKS cluster HTTP application routing enabled | Changes— The policy recommendation steps have been updated.Impact— No impact on alerts. |
Azure AKS enable role-based access control (RBAC) not enforced | Changes— The policy recommendation steps have been updated.Impact— No impact on alerts. |
GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled | Changes— The policy name and recommendation steps have been updated to reflect the CSP changes.Current Name— GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabledUpdated Name— GCP Kubernetes Engine Clusters have Cloud Monitoring disabledImpact— No impact on alerts. |
GCP Storage log buckets have object versioning disabled | Changes— The policy recommendation steps have been updated to reflect the CSP changes.Impact— No impact on alerts. |
Storage Buckets with publicly accessible Stackdriver logs | Changes— The policy name and recommendation steps have been updated to reflect the CSP changes.Current Name— Storage Buckets with publicly accessible Stackdriver logsUpdated Name— GCP Storage Buckets with publicly accessible GCP logsImpact— No impact on alerts. |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Global Region Support for Google Compute Engine | Prisma Cloud now provides global region support for API. Due to this, all the resources will be deleted once, and then regenerated on the management console. Existing alerts corresponding to these resources are resolved as Resource_Updated, and new alerts will be generated against the policy violations. Impact— You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for start ingesting data again. |
Region Support for Google Cloud Load Balancing APIs | Prisma Cloud can now store regional resources as well as global resources for and APIs. Due to this, new alerts will be generated against policy violations. Impact —You may notice an increased count in the number of alerts for APIs. |
Alerts for Audit Events | To make your experience with audit event alerts consistent with configuration alerts for custom policies, the policy evaluation for audit events is updated to use the alert rule configuration. The targets for the cloud accounts and cloud regions for which you want to trigger alerts are now only inherited from the alert rule. Earlier, when you run an audit event query on the Investigate page, and save the query as a saved search and then use this saved search query as match criteria in a policy, the matched issues that trigger alerts used inputs from both the alert rule configuration and saved search.As an example, if you had created a saved search that includes the RQL for cloud.account, cloud.accountgroup, or cloud.region, such as event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Canada' AND operation IN ('DeleteAccessKey') the cloud.account, and cloud.region attributes will now be ignored for custom and existing policies and their associated alerts.Only, the target cloud accounts and cloud regions that you specify in the alert rule configuration will be used to scope when alerts are generated for the custom Audit Event policy. Impact— The change in how the targets for generating alerts scoped may result in a larger number of alerts than before. This change will be rolled out gradually over multiple phases. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.