Features Introduced in November 2022

Learn what’s new on Prisma™ Cloud in November 2022.

New Features

FEATURE
DESCRIPTION
Prisma Cloud launches new Home Page
As a system administrator, you have a new Home page when you log in to Prisma Cloud. This page provides instant access to the critical issues, latest information, and recommendations for next steps. Use this page as a launch pad to:
  • See the latest summary of what happened in the last 24 hours.
  • Identify where to resume on your operationalization journey. You have a central context to:
    • Review the recommended workflows.
    • Get started with connecting the providers - repositories, registries and cloud accounts - to scan artifacts and secure resources that are used and deployed through your code to cloud journey.
    • Take the next steps in adopting the suite of security capabilities from the Adoption Advisor
  • Stay informed on what’s new on Prisma Cloud with easy access to the release information and cloud security blogs from Unit 42.
Anomaly Policies for AWS DNS Activity
On
Policies
and
Alerts
Overview
, a new
Policy Subtype
for
DNS
displays.
The two new policies that use information in DNS logs for your AWS cloud accounts to detect anomalies are:
  • Cryptomining domain request activity—
    detects when monitored resources attempt to contact a known cryptomining pool using DNS protocol to retrieve the IP address of the cryptominer.
  • DGA domain request activity—
    detects when monitored resources attempt to resolve domain names in which domain names look like they are generated by an algorithm.
When you enable DNS log ingestion, and add the DNS anomaly policies to an alert rule, alerts for DNS anomaly policies are triggered.
These new anomaly policies generate alerts when they detect suspicious domains in DNS queries. With the addition of these policies, you also have the ability to specify a
Domain Name
in an anomaly trusted list to suppress alerts. For the domain names that are added to this trusted list, the DNS anomaly policies will not generate alerts.
Ingestion of AWS DNS Logs from Amazon Kinesis Data Firehose
DNS logs provide critical data in detecting threats such as, Cryptomining pools, domain generation algorithms (DGAs), and DNS rebinding. Prisma Cloud fetches DNS logs for accounts that are streamed on Amazon Kinesis Data Firehose in a logging account on AWS.
After you enable DNS log ingestion on Prisma Cloud, all requests made to AWS default DNS resolvers are logged while DNS queries made to external servers or DNS servers not managed by AWS are not logged. Logging is enabled per VPC.
IAM Access Control for Service Principals
Update
Ensure applications, hosted services, and automated tools securely access your Azure cloud resources with IAM access control for service principals. Assign permissions to the external service or service principal and enforce the appropriate level of access control. Like access control for individual users, service principals can be queried and alerts can be created for application registration and remediation.
Use the
App Registration
value for
source.cloud.resource.type
and
Service Principal
in the
grantedby.cloud.entity.type
in your IAM queries to query service principals.
Support for Azure Tenant
Prisma Cloud Data Security
You can now enable Data Security on your Azure tenant and configure data security for all the subscriptions under that tenant. You can set up Forward and Backward scan to scan your Azure resources for data security issues and also choose custom scan or choose to scan all objects in your tenants.
Timestamp based on Resource Ingestion for Time Range Filters
Update
On the Data Dashboard and Inventory pages, when you used the Time Range filter the timestamp displayed was based on when the resource was created in the cloud account. For improved accuracy, the timestamp displayed is now based on when the resource was ingested.

API Ingestions

SERVICE
API DETAILS
AWS Cloud9
aws-cloud9-environment
Additional permissions required:
  • cloud9:ListEnvironments
  • cloud9:ListTagsForResource
  • cloud9:DescribeEnvironments
  • cloud9:DescribeEnvironmentMemberships
The Security Audit role includes the permissions except
cloud9:ListTagsForResource
.
You must add the permission manually or use CFT template to update the
cloud9:ListTagsForResource
permission.
AWS WorkSpaces Bundle
aws-workspace-bundle
Additional permissions required:
  • workspaces:DescribeTags
  • workspaces:DescribeWorkspaceBundles
The Security Audit role includes the permissions.
This API will not ingest public bundles. You can only retrieve bundles that belong to your account.
AWS WorkSpaces
aws-workspace-ip-group
Additional permissions required:
  • workspaces:DescribeTags
  • workspaces:DescribeIpGroups
The Security Audit role includes the permissions.
Azure Attestation
azure-attestation-providers
Additional permission required:
Microsoft.Attestation/attestationProviders/read
The Reader role includes the permission.
Azure Blueprint
azure-blueprints-list
Additional permission required:
Microsoft.Blueprint/blueprints/read
The Reader role includes the permission.
Azure Confluent
azure-confluent-organizations
Additional permission required:
Microsoft.Confluent/organizations/Read
The Reader role includes the permission.
Azure Datadog
azure-datadog-monitors
Additional permission required:
Microsoft.Datadog/monitors/read
The Reader role includes the permission.
Azure Dev Center
azure-dev-centers
Additional permission required:
Microsoft.DevCenter/devcenters/read
The Reader role includes the permission.
Azure Elastic
azure-elastic-monitors
Additional permission required:
Microsoft.Elastic/monitors/read
The Reader role includes the permission.
Azure Event Grid
azure-event-grid-topic
Additional permission required:
Microsoft.EventGrid/topics/read
The Reader role includes the permission.
Azure Key Vault
azure-key-vault-privatelinkresource
Additional permissions required:
  • Microsoft.KeyVault/vaults/read
  • Microsoft.KeyVault/vaults/privateLinkResources/read
The Reader role includes the permissions.
Azure Managed Services
azure-managedservices-registration-assignments
Additional permission required:
Microsoft.ManagedServices/registrationAssignments/read
The Reader role includes the permission.
Azure Storage
azure-storage-file-shares
Additional permission required:
Microsoft.Storage/storageAccounts/fileServices/shares/read
The Reader role includes the permission.
Azure Storage Mover
azure-storage-movers
Additional permission required:
Microsoft.StorageMover/storageMovers/read
The Reader role includes the permission.
Azure Subscriptions
azure-subscription-list
Additional permissions required:
  • Microsoft.Resources/subscriptions/read
The Reader role includes the permissions.
Azure Workloads
azure-workloads-monitors
Additional permission required:
Microsoft.Workloads/monitors/read
The Reader role includes the permission.
Azure Virtual Network
azure-network-service-endpoint-policy
azure-network-service-endpoint-policy
Additional permissions required:
  • Microsoft.Network/serviceEndpointPolicies/read
  • Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions/read
  • Microsoft.Network/privateEndpoints/read
The Reader role includes the permissions.
Google Datastream
gcloud-datastream-connection-profile
Additional permissions required:
  • datastream.locations.list
  • datastream.connectionProfiles.list
The Viewer role includes the permissions.
Google Datastream
gcloud-datastream-private-connection
Additional permissions required:
  • datastream.locations.list
  • datastream.privateConnections.list
The Viewer role includes the permissions.
Google Datastream
gcloud-datastream-stream
Additional permissions required:
  • datastream.locations.list
  • datastream.streams.list
The Viewer role includes the permissions.
Google VPC
gcloud-compute-project-firewall-policy
Additional permission required:
compute.firewallPolicies.list
The Viewer role includes the permission.

New Policies

NEW POLICIES
DESCRIPTION
GCP Identity-Aware Proxy (IAP) not enabled for External HTTP(s) Load Balancer
Identifies GCP External HTTP(s) Load Balancers for which Identity-Aware Proxy (IAP) is disabled. IAP is used to enforce access control policies for applications and resources. It works with signed headers or the App Engine standard environment Use API to secure connections to External HTTP(s) Load Balancers. Enabling Identity-Aware Proxy for securing the External HTTP(s) Load Balancers is recommended.
config from cloud.resource where api.name = 'gcloud-compute-external-backend-service' AND json.rule = iap does not exist or iap.enabled equals "false"
GCP API key is created for a project
Identifies GCP projects where API keys are created. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. To avoid this API related security risk, we recommended using standard authentication flow.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-api-key' as X; count(X) greater than 0

Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates—RQL
AWS VPC endpoint policy is overly permissive
Changes—
The policy RQL has been updated to check for only VPC Gateway Endpoints. Also, the policy name, description, and recommendation steps have been updated.
Current Name—
AWS VPC endpoint policy is overly permissive disabled
Updated Name—
AWS VPC gateway endpoint policy is overly permissive
Updated Description—
Identifies VPC gateway endpoints that have a VPC endpoint (VPCE) policy that is overly permissive. When the Principal element value is set to '*' within the access policy, the VPC gateway endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts. It is highly recommended to have the least privileged VPCE policy to protect the data leakage and unauthorized access.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-describe-vpc-endpoints' AND json.rule = policyDocument.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and Action contains * and Condition does not exist)] exists
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-describe-vpc-endpoints' AND json.rule = vpcEndpointType equals Gateway and policyDocument.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and Action contains * and Condition does not exist)] exists
Impact—
Medium. Existing open alerts related to VPC Endpoint’s other than Gateway will be resolved and resolution status will be updated as Policy_Updated.
AWS RDS minor upgrades not enabled
Changes—
The policy RQL has been updated to check if the RDS DB instances are in the “available” state.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = autoMinorVersionUpgrade is false and engine does not contain docdb and engine does not contain neptune
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and autoMinorVersionUpgrade is false and engine does not contain docdb and engine does not contain neptune
Impact—
Medium. Existing open alerts related to RDS instances which are not in the available state will be resolved and resolution status will be updated as Policy_Updated.
Azure AKS cluster pool profile count contains less than 3 nodes
Changes—
The policy RQL has been updated with new syntax to increase accuracy and the remediation details are updated to reflect the CSP UI changes.
Updated Description—
Identifies AKS clusters that are configured with node pool profile less than 3 nodes. It is recommended to have at least 3 or more than 3 nodes in a node pool for a more resilient cluster. (Clusters smaller than 3 may experience downtime during upgrades.)
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-kubernetes-cluster' AND json.rule = "properties.agentPoolProfiles[?(@.type == 'AvailabilitySet')].count < 3"
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-kubernetes-cluster' AND json.rule = 'properties.powerState.code equal ignore case Running and properties.agentPoolProfiles[?any(type equal ignore case AvailabilitySet and count less than 3)] exists'
Impact—
Low. The alerts generated for stopped resources are resolved with resolution status as Policy_Updated.
Azure Front Door does not have the Azure Web application firewall (WAF) enabled
Changes—
The policy RQL has been updated to provide more accuracy in alert results.
Current RQL—
config from cloud.resource where api.name = 'azure-frontdoor' AND json.rule = properties.provisioningState equals Succeeded as X; config from cloud.resource where api.name = 'azure-frontdoor-waf-policy' as Y; filter '$.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id does not exist or ($.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id contains $.Y.name and $.Y.properties.policySettings.enabledState equals Disabled)'; show X;
Updated RQL—
config from cloud.resource where api.name = 'azure-frontdoor' AND json.rule = properties.provisioningState equals Succeeded as X; config from cloud.resource where api.name = 'azure-frontdoor-waf-policy' as Y; filter '$.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id does not exist or ($.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id equal ignore case $.Y.id and $.Y.properties.policySettings.enabledState equals Disabled)'; show X;
Impact—
Low. The alerts are resolved with resolution status as Policy_Updated.
Azure SQL Database with Auditing Retention less than 90 days
Changes—
The policy RQL and recommendation steps have been updated to exclude Log Analytics and Event Hubs, as retention periods are not configurable.
Current RQL—
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = '(serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90))' as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.Y.blobAuditPolicy.id contains $.X.sqlServer.name'; show Y;
Updated RQL—
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = '(serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.storageEndpoint is not empty and serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90))' as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = '(blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.storageEndpoint is not empty and blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90))' as Y; filter '$.Y.blobAuditPolicy.id contains $.X.sqlServer.name'; show Y;
Impact—
Low. Previously generated alerts for SQL databases configured with Log Analytics and Event hubs auditing will be resolved as Policy_Updated.
GCP PostgreSQL instance database flag log_statement is not set appropriately
Changes—
The policy RQL has been enhanced to resolve false alerts by changing the contain operator to equals. Due to this, collision with similar flag names such as
log_statement_stats
will be avoided.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = "state equals RUNNABLE and databaseVersion contains POSTGRES and (settings.databaseFlags[*].name does not contain log_statement or settings.databaseFlags[?any(name contains log_statement and value contains all or value contains none )] exists)"
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = state equals RUNNABLE and databaseVersion contains POSTGRES and ( settings.databaseFlags[?any( name equals "log_statement" )] does not exist or settings.databaseFlags[?any( name equals "log_statement" and value equals "all" or value equals "none" )] exists)
Impact—
Low. Previously generated alerts due to collision with similar flag names will be resolved as Policy_Updated.
GCP Kubernetes Engine Clusters have binary authorization disabled
Changes—
The policy RQL has been updated to match CSP data. The datapoint
binaryAuthorization.enabled
is deprecated and replaced by
binaryAuthorization.evaluationMode
and the remediation CLI is removed since no single CLI command is available to update both Zonal and Regional GKE clusters.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'binaryAuthorization does not exist or binaryAuthorization.enabled is false'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = binaryAuthorization.evaluationMode does not exist or binaryAuthorization.evaluationMode equal ignore case EVALUATION_MODE_UNSPECIFIED or binaryAuthorization.evaluationMode equal ignore case DISABLED
Impact—
High. Previously generated alerts will be resolved as Policy_Updated and new alerts will be generated for existing resources. Also, no remediation support will be available for this policy.
Policy Updates—Metadata
AWS S3 bucket accessible to unmonitored cloud accounts
Changes—
The policy recommendation steps have been updated to specify that cloud accounts monitored by Prisma Cloud should be added to the S3 bucket ACL.
Impact—
No impact on alerts.
Azure AKS cluster Azure CNI networking not enabled
Changes—
The policy recommendation steps have been updated.
Impact—
No impact on alerts.
Azure AKS cluster monitoring not enabled
Changes—
The policy recommendation steps have been updated.
Impact—
No impact on alerts.
Azure AKS cluster HTTP application routing enabled
Changes—
The policy recommendation steps have been updated.
Impact—
No impact on alerts.
Azure AKS enable role-based access control (RBAC) not enforced
Changes—
The policy recommendation steps have been updated.
Impact—
No impact on alerts.
GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled
Changes—
The policy name and recommendation steps have been updated to reflect the CSP changes.
Current Name—
GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled
Updated Name—
GCP Kubernetes Engine Clusters have Cloud Monitoring disabled
Impact—
No impact on alerts.
GCP Storage log buckets have object versioning disabled
Changes—
The policy recommendation steps have been updated to reflect the CSP changes.
Impact—
No impact on alerts.
Storage Buckets with publicly accessible Stackdriver logs
Changes—
The policy name and recommendation steps have been updated to reflect the CSP changes.
Current Name—
Storage Buckets with publicly accessible Stackdriver logs
Updated Name—
GCP Storage Buckets with publicly accessible GCP logs
Impact—
No impact on alerts.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Global Region Support for Google Compute Engine
Prisma Cloud now provides global region support for
gcloud-compute-instance-template
API. Due to this, all the resources will be deleted once, and then regenerated on the management console. Existing alerts corresponding to these resources are resolved as Resource_Updated, and new alerts will be generated against the policy violations.
Impact—
You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for
gcloud-compute-instance-template
start ingesting data again.
Region Support for Google Cloud Load Balancing APIs
Prisma Cloud can now store regional resources as well as global resources for
gcloud-compute-target-http-proxies
and
gcloud-compute-target-https-proxies
APIs. Due to this, new alerts will be generated against policy violations.
Impact
—You may notice an increased count in the number of alerts for
gcloud-compute-target-http-proxies and gcloud-compute-target-https-proxies
APIs.
Alerts for Audit Events
To make your experience with audit event alerts consistent with configuration alerts for custom policies, the policy evaluation for audit events is updated to use the alert rule configuration. The targets for the cloud accounts and cloud regions for which you want to trigger alerts are now only inherited from the alert rule.
Earlier, when you run an audit event query on the
Investigate
page, and save the query as a saved search and then use this saved search query as match criteria in a policy, the matched issues that trigger alerts used inputs from both the alert rule configuration and saved search.
As an example, if you had created a saved search that includes the RQL for cloud.account, cloud.accountgroup, or cloud.region, such as
event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Canada' AND operation IN ('DeleteAccessKey')
the cloud.account, and cloud.region attributes will now be ignored for custom and existing policies and their associated alerts.
Only, the target cloud accounts and cloud regions that you specify in the alert rule configuration will be used to scope when alerts are generated for the custom Audit Event policy.
Impact—
The change in how the targets for generating alerts scoped may result in a larger number of alerts than before. This change will be rolled out gradually over multiple phases.

Recommended For You