Features Introduced in October 2022
Learn what’s new on Prisma™ Cloud in October 2022.
New Features Introduced in 22.10.2
New Features
FEATURE | DESCRIPTION |
Unified Policy and Alerts for Compute Workloads on the Platform | Incident policies and alerts for hosts and containers are now accessible from the Policies and Alerts pages on the Prisma Cloud console. This provides a single-pane to configure alert rules and view compute workload alerts so that you can contextualize and prioritize remediation.The Host and Container policies for detecting vulnerabilities and runtime incidents are visible on the Policies page. As a start, there are 4 new policies categorized as policy subtype Workload Vulnerability and Workload Incident .Alert rules support the use of these policies along with Compute Access Groups, which is a resource list where you can specify the scope of compute workloads that want to scan against these policies. On the , the alert details surface vulnerabilities detected on both hosts and containers that violate these policies and directly link to the Vulnerability Explorer on Compute. The alerts are generated for Agentless scanning or scanning with Defenders.  |
Enable Resolved Alert State in Jira Notification Template | In addition to Open alert state notifications configured in the notification template, Prisma Cloud integration with Jira now allows you to configure and send notifications for Resolved alert states through Jira tickets.For more details, refer to Integrate Prisma Cloud with Jira.   |
Granular Role Based Access Control | Enhancements to Prisma Cloud roles now allow you to create custom roles leveraging Granular Role Based Access Control (GRBAC). Easily create, edit, or update existing roles to enforce least-access privileges to Prisma Cloud features, limiting access to only those functions that align with a user’s job responsibilities. GRBAC creates a dynamic experience for Prisma Cloud users, with a customizable console that displays only the features assigned to any given user, providing an additional layer of security. |
CWP Widgets in Adoption Advisor | The Adoption Advisor includes two new widgets for Cloud Workload Protection (CWP).
 |
API Ingestions
SERVICE | API DETAILS |
Amazon DevOps Guru | aws-devops-guru-service-integration Additional permission required:
|
Amazon Kinesis Data Analytics | aws-kinesisanalyticsv2-application Additional permission required:
The Security Audit role includes only permission. You must add the permissions manually or use CFT template to update the following permissions:
|
AWS Account Management | aws-account-management-alternate-contact Additional permission required:
|
Azure App Service | azure-app-service-deployment-slots Additional permissions required:
The Reader role includes the permissions. |
Azure App Service | azure-visual-studio-accounts Additional permission required:
The Reader role includes the permission. |
Azure Bot Service | azure-botservice-bots Additional permission required:
The Reader role includes the permission. |
Azure Chaos Studio | azure-chaos-experiments Additional permission required:
The Reader role includes the permission. |
Azure Confidential Ledger | azure-confidential-ledgers The Reader role includes the permission. |
Azure Defender for Cloud | azure-iot-security-solutions Additional permission required:
The Reader role includes the permission. |
Azure DevOps | azure-devops-pipelines Additional permission required:
The Reader role includes the permission. |
Azure Kusto | azure-kusto-clusters Additional permission required:
The Reader role includes the permission. |
Azure Lab Services | azure-labservices-labs Additional permission required:
The Reader role includes the permission. |
Azure Logic Apps | azure-logic-app-integration-account Additional permission required:
The Reader role includes the permission. |
Azure Storage | azure-storage-account-keys Additional permissions required:
The Reader role includes the permissions. |
Azure Synapse Analytics | azure-synapse-workspace Additional permission required:
The Reader role includes the permission. |
Azure Virtual WAN | azure-virtual-wan-list Additional permission required:
The Reader role includes the permission. |
Azure Video Indexer | azure-video-indexer-accounts Additional permission required:
The Reader role includes the permission. |
Azure Visual Studio | azure-web-static-sites Additional permission required:
The Reader role includes the permission. |
Google Vertex AI | gcloud-vertex-ai-notebook-instance Additional permissions required:
The Viewer role includes the permissions. |
Google Workflows | gcloud-workflows-workflow Additional permissions required:
The Viewer role includes the permissions. |
New Policies
No new policies in 22.10.2.
Policy Updates
See Prisma Cloud Known Issues for a policy status change issue that may affect you.
POLICY UPDATE | DESCRIPTION |
Anomaly Policy Update | The Port scan activity (External) anomaly policy is modified to make it easier to identify cloud resources that are being actively scanned by suspicious actors on the internet. In the alert details, the Resource Name now displays your internal resource (target host) that is being scanned instead of the public IP address of the source (suspicious actor) host that is performing the scan.The change also impacts the number of port scan alerts generated on Prisma Cloud. Earlier, multiple hosts scanning the same internal resource (target host) triggered many alerts. Now, the multiple hosts scanning the same instance will trigger a single alert and record the IP address of the external host from the most recent scan. The change only applies to any new alerts generated for the Port scan activity (External) policy. For existing alerts, the public IP address of the source host performing the scan will remain in the Resource Name field. |
Change in Existing Behavior
FEATURE | DESCRIPTION |
Resource ID Update for Google Cloud Armor | The resource ID is updated in the backend for gcloud-armor-security-policy API in Prisma Cloud. Due to this, all the resources for gcloud-armor-security-policy will be deleted once and then regenerated on the management console.Existing alerts corresponding to this resource is resolved as Resource_Updated , and new alerts will be generated against policy violations.Impact— You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for gcloud-armor-security-policy start ingesting data again |
REST API Updates
CHANGE | DESCRIPTION |
Permission Group APIs | The following new endpoints are available for Permission Group APIs:
|
New Features Introduced in 22.10.1
New Features
FEATURE | DESCRIPTION |
Prisma Cloud Service in France | Prisma Cloud tenant (app.fr.prismacloud.io) is now available for the France region starting October 10th, 2022. |
Update Default Alert Rule | To reduce Alert fatigue, the default alert rule now includes only the Prisma Cloud Recommended OOTB policies, for Prisma Cloud tenants created after the 22.10.1 release. You can filter these policies using the label. |
API Ingestions
SERVICE | API DETAILS |
Amazon Macie | aws-macie2-session Additional permissions required:
|
Amazon MemoryDB | aws-memorydb-parameter-group Additional permissions required:
|
Amazon MemoryDB | aws-memorydb-cluster Additional permissions required:
|
Update Amazon Glue | aws-glue-datacatalog Two new fields added:
|
Azure Cosmos DB | azure-documentdb-cassandra-clusters Additional permission required:
The Reader role includes the permission. |
Azure Dev Test Labs | azure-devtestlab-global-schedules Additional permission required:
The Reader role includes the permission. |
Azure Digital Twins | azure-digital-twins Additional permission required:
The Reader role includes the permission. |
Azure Event Grid | azure-event-grid-domains Additional permission required:
The Reader role includes the permission. |
Azure Healthcare Apis | azure-healthcare-apis-workspaces Additional permission required:
The Reader role includes the permission. |
Azure Health Bot | azure-healthbot-bots Additional permission required:
The Reader role includes the permission. |
Azure IoT Central | azure-iot-central-apps Additional permission required:
The Reader role includes the permission. |
Azure IoT Hub | azure-devices-iot-hub-resource Additional permission required:
The Reader role includes the permission. |
Azure Load Testing | azure-loadtest-service-load-tests Additional permission required:
The Reader role includes the permission. |
Azure Managed Applications | azure-solutions-applications Additional permission required:
The Reader role includes the permission. |
Azure Maps Management | azure-maps-accounts Additional permission required:
The Reader role includes the permission. |
Azure Mixed Reality | azure-mixed-reality-object-anchors-accounts Additional permission required:
The Reader role includes the permission. |
Azure Network Function | azure-network-function-traffic-collectors Additional permission required:
The Reader role includes the permission. |
Azure Orbital | azure-orbital-spacecrafts Additional permission required:
The Reader role includes the permission. |
Azure Resource Mover | azure-migrate-move-collections Additional permission required:
The Reader role includes the permission. |
Azure StorSimple | azure-storsimple-managers Additional permission required:
The Reader role includes the permission. |
Azure Stream Analytics | azure-streamanalytics-clusters Additional permission required:
The Reader role includes the permission. |
Azure Test Base | azure-test-base-accounts Additional permission required:
The Reader role includes the permission. |
Azure Time Series Insights | azure-timeseriesinsights-environments Additional permission required:
The Reader role includes the permission. |
Azure Web PubSub Service | azure-signalrservice-web-pub-sub Additional permission required:
The Reader role includes the permission. |
Google Compute Engine | gcloud-compute-autoscaler Additional permission required: The Viewer role includes the permission. |
Google Dataplex | gcloud-dataplex-lake-environment Additional permissions required:
The Viewer role includes the permissions. |
Google Dataplex | gcloud-dataplex-lake-zone Additional permissions required:
The Viewer role includes the permissions. |
New Policies
No new policies for 22.10.1.
Policy Updates
No policy updates for 22.10.1.
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Support for CIS Microsoft Azure Foundations Benchmark v1.5.0 - Level 1 and Level 2 | Support is now available for CIS Azure Foundations Benchmark version 1.5.0. It is a compliance standard for securing Microsoft Azure resources. This benchmark provides prescriptive guidelines for configuring Azure services in accordance with industry best practices. |
Support for CIS Amazon Web Services Foundations Benchmark v1.5.0 - Level 1 and Level 2 | Support is now available for CIS Amazon Web Services Foundations Benchmark version 1.5.0. This benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services on foundational, testable, and architecture-agnostic settings. |
Support for Fedramp Moderate and Low Control Standards | Support is now available for Federal Risk and Authorization Management Program (FedRAMP) Moderate and Low control standards. The security controls outlined in FedRAMP are based on NIST Special Publication 800-53, which provides the standards and security requirements for federal government information systems. |
Change in Existing Behavior
FEATURE | DESCRIPTION |
Global Region Support for Google API Keys | Prisma Cloud now provides global region support for gcloud-api-key . Due to this, all the resources will be deleted once, and then regenerated on the management console.Existing alerts corresponding to these resources are resolved as Resource_Updated , and new alerts will be generated against policy violations.Impact—*You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once theresources for *gcloud-api-key start ingesting data again. |
REST API Updates
No REST API updates for 22.10.1.
