1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Features Introduced in 2022
    7. Features Introduced in November 2022

    Features Introduced in November 2022

    Learn what’s new on Prisma™ Cloud in November 2022.

    New Features Introduced in 22.11.1

    New Features

    FEATURE
    DESCRIPTION
    Prisma Cloud launches new Home Page
    As a system administrator, you have a new Home page when you log in to Prisma Cloud. This page provides instant access to the critical issues, latest information, and recommendations for next steps. Use this page as a launch pad to:
    • See the latest summary of what happened in the last 24 hours.
    • Identify where to resume on your operationalization journey. You have a central context to:
      • Review the recommended workflows.
      • Get started with connecting the providers - repositories, registries and cloud accounts - to scan artifacts and secure resources that are used and deployed through your code to cloud journey.
      • Take the next steps in adopting the suite of security capabilities from the Adoption Advisor
    • Stay informed on what’s new on Prisma Cloud with easy access to the release information and cloud security blogs from Unit 42.
    Anomaly Policies for AWS DNS Activity
    On
    Policies
     and
    Alerts
    Overview
    , a new
    Policy Subtype
     for
    DNS
     displays.
    The two new policies that use information in DNS logs for your AWS cloud accounts to detect anomalies are:
    • Cryptomining domain request activity—
       detects when monitored resources attempt to contact a known cryptomining pool using DNS protocol to retrieve the IP address of the cryptominer.
    • DGA domain request activity—
       detects when monitored resources attempt to resolve domain names in which domain names look like they are generated by an algorithm.
    When you enable DNS log ingestion, and add the DNS anomaly policies to an alert rule, alerts for DNS anomaly policies are triggered.
    These new anomaly policies generate alerts when they detect suspicious domains in DNS queries. With the addition of these policies, you also have the ability to specify a
    Domain Name
     in an anomaly trusted list to suppress alerts. For the domain names that are added to this trusted list, the DNS anomaly policies will not generate alerts.
    Ingestion of AWS DNS Logs from Amazon Kinesis Data Firehose
    DNS logs provide critical data in detecting threats such as, Cryptomining pools, domain generation algorithms (DGAs), and DNS rebinding. Prisma Cloud fetches DNS logs for accounts that are streamed on Amazon Kinesis Data Firehose in a logging account on AWS.
    After you enable DNS log ingestion on Prisma Cloud, all requests made to AWS default DNS resolvers are logged while DNS queries made to external servers or DNS servers not managed by AWS are not logged. Logging is enabled per VPC.
    IAM Access Control for Service Principals
    Update
    Ensure applications, hosted services, and automated tools securely access your Azure cloud resources with IAM access control for service principals. Assign permissions to the external service or service principal and enforce the appropriate level of access control. Like access control for individual users, service principals can be queried and alerts can be created for application registration and remediation.
    Use the
    App Registration
     value for
    source.cloud.resource.type
     and
    Service Principal
     in the
    grantedby.cloud.entity.type
     in your IAM queries to query service principals.
    Support for Azure Tenant
    Prisma Cloud Data Security
    You can now enable Data Security on your Azure tenant and configure data security for all the subscriptions under that tenant. You can set up Forward and Backward scan to scan your Azure resources for data security issues and also choose custom scan or choose to scan all objects in your tenants.
    Timestamp based on Resource Ingestion for Time Range Filters
    Update
    On the Data Dashboard and Inventory pages, when you used the Time Range filter the timestamp displayed was based on when the resource was created in the cloud account. For improved accuracy, the timestamp displayed is now based on when the resource was ingested.

    API Ingestions

    SERVICE
    API DETAILS
    AWS Cloud9
    aws-cloud9-environment
    Additional permissions required:
    • cloud9:ListEnvironments
    • cloud9:ListTagsForResource
    • cloud9:DescribeEnvironments
    • cloud9:DescribeEnvironmentMemberships
    The Security Audit role includes the permissions except 
    cloud9:ListTagsForResource
    .
    You must add the permission manually or use CFT template to update the 
    cloud9:ListTagsForResource
    permission.
    AWS WorkSpaces Bundle
    aws-workspace-bundle
    Additional permissions required:
    • workspaces:DescribeTags
    • workspaces:DescribeWorkspaceBundles
    The Security Audit role includes the permissions.
    This API will not ingest public bundles. You can only retrieve bundles that belong to your account.
    AWS WorkSpaces
    aws-workspace-ip-group
    Additional permissions required:
    • workspaces:DescribeTags
    • workspaces:DescribeIpGroups
    The Security Audit role includes the permissions.
    Azure Attestation
    azure-attestation-providers
    Additional permission required: 
    Microsoft.Attestation/attestationProviders/read
    The Reader role includes the permission.
    Azure Blueprint
    azure-blueprints-list
    Additional permission required: 
    Microsoft.Blueprint/blueprints/read
    The Reader role includes the permission.
    Azure Confluent
    azure-confluent-organizations
    Additional permission required: 
    Microsoft.Confluent/organizations/Read
    The Reader role includes the permission.
    Azure Datadog
    azure-datadog-monitors
    Additional permission required: 
    Microsoft.Datadog/monitors/read
    The Reader role includes the permission.
    Azure Dev Center
    azure-dev-centers
    Additional permission required: 
    Microsoft.DevCenter/devcenters/read
    The Reader role includes the permission.
    Azure Elastic
    azure-elastic-monitors
    Additional permission required: 
    Microsoft.Elastic/monitors/read
    The Reader role includes the permission.
    Azure Event Grid
    azure-event-grid-topic
    Additional permission required: 
    Microsoft.EventGrid/topics/read
    The Reader role includes the permission.
    Azure Managed Services
    azure-managedservices-registration-assignments
    Additional permission required: 
    Microsoft.ManagedServices/registrationAssignments/read
    The Reader role includes the permission.
    Azure Storage
    azure-storage-file-shares
    Additional permission required: 
    Microsoft.Storage/storageAccounts/fileServices/shares/read
    The Reader role includes the permission.
    Azure Storage Mover
    azure-storage-movers
    Additional permission required: 
    Microsoft.StorageMover/storageMovers/read
    The Reader role includes the permission.
    Azure Workloads
    azure-workloads-monitors
    Additional permission required: 
    Microsoft.Workloads/monitors/read
    The Reader role includes the permission.
    Azure Virtual Network
    azure-network-service-endpoint-policy
    Additional permissions required:
    • Microsoft.Network/serviceEndpointPolicies/read
    • Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions/read
    • Microsoft.Network/privateEndpoints/read
    The Reader role includes the permissions.
    Google Datastream
    gcloud-datastream-connection-profile
    Additional permissions required:
    • datastream.locations.list
    • datastream.connectionProfiles.list
    The Viewer role includes the permissions.
    Google Datastream
    gcloud-datastream-private-connection
    Additional permissions required:
    • datastream.locations.list
    • datastream.privateConnections.list
    The Viewer role includes the permissions.
    Google Datastream
    gcloud-datastream-stream
    Additional permissions required:
    • datastream.locations.list
    • datastream.streams.list
    The Viewer role includes the permissions.
    Google VPC
    gcloud-compute-project-firewall-policy
    Additional permission required: 
    compute.firewallPolicies.list
    The Viewer role includes the permission.

    New Policies

    NEW POLICIES
    DESCRIPTION
    GCP Identity-Aware Proxy (IAP) not enabled for External HTTP(s) Load Balancer
    Identifies GCP External HTTP(s) Load Balancers for which Identity-Aware Proxy (IAP) is disabled. IAP is used to enforce access control policies for applications and resources. It works with signed headers or the App Engine standard environment Use API to secure connections to External HTTP(s) Load Balancers. Enabling Identity-Aware Proxy for securing the External HTTP(s) Load Balancers is recommended.
    config from cloud.resource where api.name = 'gcloud-compute-external-backend-service' AND json.rule = iap does not exist or iap.enabled equals "false"
    GCP API key is created for a project
    Identifies GCP projects where API keys are created. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. To avoid this API related security risk, we recommended using standard authentication flow.
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-api-key' as X; count(X) greater than 0

    Policy Updates

    POLICY UPDATES
    DESCRIPTION
    Policy Updates—RQL
    AWS VPC endpoint policy is overly permissive
    Changes—
     The policy RQL has been updated to check for only VPC Gateway Endpoints. Also, the policy name, description, and recommendation steps have been updated.
    Current Name—
     AWS VPC endpoint policy is overly permissive disabled
    Updated Name—
     AWS VPC gateway endpoint policy is overly permissive
    Updated Description—
     Identifies VPC gateway endpoints that have a VPC endpoint (VPCE) policy that is overly permissive. When the Principal element value is set to '*' within the access policy, the VPC gateway endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts. It is highly recommended to have the least privileged VPCE policy to protect the data leakage and unauthorized access.
    Current RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-describe-vpc-endpoints' AND json.rule = policyDocument.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and Action contains * and Condition does not exist)] exists
    Updated RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-describe-vpc-endpoints' AND json.rule = vpcEndpointType equals Gateway and policyDocument.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and Action contains * and Condition does not exist)] exists
    Impact—
     Medium. Existing open alerts related to VPC Endpoint’s other than Gateway will be resolved and resolution status will be updated as Policy_Updated.
    AWS RDS minor upgrades not enabled
    Changes—
     The policy RQL has been updated to check if the RDS DB instances are in the “available” state.
    Current RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = autoMinorVersionUpgrade is false and engine does not contain docdb and engine does not contain neptune
    Updated RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and autoMinorVersionUpgrade is false and engine does not contain docdb and engine does not contain neptune
    Impact—
     Medium. Existing open alerts related to RDS instances which are not in the available state will be resolved and resolution status will be updated as Policy_Updated.
    Azure AKS cluster pool profile count contains less than 3 nodes
    Changes—
     The policy RQL has been updated with new syntax to increase accuracy and the remediation details are updated to reflect the CSP UI changes.
    Updated Description—
     Identifies AKS clusters that are configured with node pool profile less than 3 nodes. It is recommended to have at least 3 or more than 3 nodes in a node pool for a more resilient cluster. (Clusters smaller than 3 may experience downtime during upgrades.)
    Current RQL—
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-kubernetes-cluster' AND json.rule =  "properties.agentPoolProfiles[?(@.type == 'AvailabilitySet')].count < 3"
    Updated RQL—
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-kubernetes-cluster' AND json.rule = 'properties.powerState.code equal ignore case Running and properties.agentPoolProfiles[?any(type equal ignore case AvailabilitySet and count less than 3)] exists'
    Impact—
     Low. The alerts generated for stopped resources are resolved with resolution status as Policy_Updated.
    Azure Front Door does not have the Azure Web application firewall (WAF) enabled
    Changes—
     The policy RQL has been updated to provide more accuracy in alert results.
    Current RQL—
    config from cloud.resource where api.name = 'azure-frontdoor' AND json.rule = properties.provisioningState equals Succeeded as X; config from cloud.resource where api.name = 'azure-frontdoor-waf-policy' as Y; filter '$.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id does not exist or ($.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id contains $.Y.name and $.Y.properties.policySettings.enabledState equals Disabled)'; show X;
    Updated RQL—
    config from cloud.resource where api.name = 'azure-frontdoor' AND json.rule = properties.provisioningState equals Succeeded as X; config from cloud.resource where api.name = 'azure-frontdoor-waf-policy' as Y; filter '$.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id does not exist or ($.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id equal ignore case $.Y.id and $.Y.properties.policySettings.enabledState equals Disabled)'; show X;
    Impact—
     Low. The alerts are resolved with resolution status as Policy_Updated.
    Azure SQL Database with Auditing Retention less than 90 days
    Changes—
     The policy RQL and recommendation steps have been updated to exclude Log Analytics and Event Hubs, as retention periods are not configurable.
    Current RQL—
    config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = '(serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90))' as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.Y.blobAuditPolicy.id contains $.X.sqlServer.name'; show Y;
    Updated RQL—
    config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = '(serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.storageEndpoint is not empty and serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90))' as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = '(blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.storageEndpoint is not empty and blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90))' as Y; filter '$.Y.blobAuditPolicy.id contains $.X.sqlServer.name'; show Y;
    Impact—
     Low. Previously generated alerts for SQL databases configured with Log Analytics and Event hubs auditing will be resolved as Policy_Updated.
    GCP PostgreSQL instance database flag log_statement is not set appropriately
    Changes—
     The policy RQL has been enhanced to resolve false alerts by changing the contain operator to equals. Due to this, collision with similar flag names such as
    log_statement_stats
     will be avoided.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = "state equals RUNNABLE and databaseVersion contains POSTGRES and (settings.databaseFlags[*].name does not contain log_statement or settings.databaseFlags[?any(name contains log_statement and value contains all or value contains none )] exists)"
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = state equals RUNNABLE and databaseVersion contains POSTGRES and ( settings.databaseFlags[?any( name equals "log_statement" )] does not exist or settings.databaseFlags[?any( name equals "log_statement" and value equals "all" or value equals "none" )] exists)
    Impact—
     Low. Previously generated alerts due to collision with similar flag names will be resolved as Policy_Updated.
    GCP Kubernetes Engine Clusters have binary authorization disabled
    Changes—
     The policy RQL has been updated to match CSP data. The datapoint
    binaryAuthorization.enabled
     is deprecated and replaced by
    binaryAuthorization.evaluationMode
     and the remediation CLI is removed since no single CLI command is available to update both Zonal and Regional GKE clusters.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'binaryAuthorization does not exist or binaryAuthorization.enabled is false'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = binaryAuthorization.evaluationMode does not exist or binaryAuthorization.evaluationMode equal ignore case EVALUATION_MODE_UNSPECIFIED or binaryAuthorization.evaluationMode equal ignore case DISABLED
    Impact—
     High. Previously generated alerts will be resolved as Policy_Updated and new alerts will be generated for existing resources. Also, no remediation support will be available for this policy.
    Policy Updates—Metadata
    AWS S3 bucket accessible to unmonitored cloud accounts
    Changes—
     The policy recommendation steps have been updated to specify that cloud accounts monitored by Prisma Cloud should be added to the S3 bucket ACL.
    Impact—
     No impact on alerts.
    Azure AKS cluster Azure CNI networking not enabled
    Changes—
     The policy recommendation steps have been updated.
    Impact—
     No impact on alerts.
    Azure AKS cluster monitoring not enabled
    Changes—
     The policy recommendation steps have been updated.
    Impact—
     No impact on alerts.
    Azure AKS cluster HTTP application routing enabled
    Changes—
     The policy recommendation steps have been updated.
    Impact—
     No impact on alerts.
    Azure AKS enable role-based access control (RBAC) not enforced
    Changes—
     The policy recommendation steps have been updated.
    Impact—
     No impact on alerts.
    GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled
    Changes—
     The policy name and recommendation steps have been updated to reflect the CSP changes.
    Current Name—
     GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled
    Updated Name—
     GCP Kubernetes Engine Clusters have Cloud Monitoring disabled
    Impact—
     No impact on alerts.
    GCP Storage log buckets have object versioning disabled
    Changes—
     The policy recommendation steps have been updated to reflect the CSP changes.
    Impact—
     No impact on alerts.
    Storage Buckets with publicly accessible Stackdriver logs
    Changes—
     The policy name and recommendation steps have been updated to reflect the CSP changes.
    Current Name—
     Storage Buckets with publicly accessible Stackdriver logs
    Updated Name—
     GCP Storage Buckets with publicly accessible GCP logs
    Impact—
     No impact on alerts.

    Changes in Existing Behavior

    FEATURE
    DESCRIPTION
    Global Region Support for Google Compute Engine
    Prisma Cloud now provides global region support for 
    gcloud-compute-instance-template
    API. Due to this, all the resources will be deleted once, and then regenerated on the management console. Existing alerts corresponding to these resources are resolved as Resource_Updated, and new alerts will be generated against the policy violations.
    Impact—
     You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for 
    gcloud-compute-instance-template
    start ingesting data again.
    Region Support for Google Cloud Load Balancing APIs
    Prisma Cloud can now store regional resources as well as global resources for 
    gcloud-compute-target-http-proxies
    and 
    gcloud-compute-target-https-proxies
    APIs. Due to this, new alerts will be generated against policy violations.
    Impact
    —You may notice an increased count in the number of alerts for 
    gcloud-compute-target-http-proxies and gcloud-compute-target-https-proxies
    APIs.
    Alerts for Audit Events
    To make your experience with audit event alerts consistent with configuration alerts for custom policies, the policy evaluation for audit events is updated to use the alert rule configuration. The targets for the cloud accounts and cloud regions for which you want to trigger alerts are now only inherited from the alert rule.
    Earlier, when you run an audit event query on the
    Investigate
     page, and save the query as a saved search and then use this saved search query as match criteria in a policy, the matched issues that trigger alerts used inputs from both the alert rule configuration and saved search.
    As an example, if you had created a saved search that includes the RQL for cloud.account, cloud.accountgroup, or cloud.region, such as
    event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Canada' AND operation IN ('DeleteAccessKey')
     the cloud.account, and cloud.region attributes will now be ignored for custom and existing policies and their associated alerts.
    Only, the target cloud accounts and cloud regions that you specify in the alert rule configuration will be used to scope when alerts are generated for the custom Audit Event policy.
    Impact—
     The change in how the targets for generating alerts scoped may result in a larger number of alerts than before. This change will be rolled out gradually over multiple phases.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo