Features Introduced in October 2022

Learn what’s new on Prisma™ Cloud in October 2022.

New Features

FEATURE
DESCRIPTION
Unified Policy and Alerts for Compute Workloads on the Platform
Incident policies and alerts for hosts and containers are now accessible from the
Policies
and
Alerts
pages on the Prisma Cloud console. This provides a single-pane to configure alert rules and view compute workload alerts so that you can contextualize and prioritize remediation.
The Host and Container policies for detecting vulnerabilities and runtime incidents are visible on the
Policies
page. As a start, there are 4 new policies categorized as policy subtype
Workload Vulnerability
and
Workload Incident
.
Alert rules support the use of these policies along with Compute Access Groups, which is a resource list where you can specify the scope of compute workloads that want to scan against these policies. On the
Alerts
Overview
, the alert details surface vulnerabilities detected on both hosts and containers that violate these policies and directly link to the Vulnerability Explorer on Compute. The alerts are generated for Agentless scanning or scanning with Defenders.
Enable Resolved Alert State in Jira Notification Template
In addition to
Open
alert state notifications configured in the notification template, Prisma Cloud integration with Jira now allows you to configure and send notifications for
Resolved
alert states through Jira tickets.
For more details, refer to Integrate Prisma Cloud with Jira.
Granular Role Based Access Control
Enhancements to Prisma Cloud roles now allow you to create custom roles leveraging Granular Role Based Access Control (GRBAC). Easily create, edit, or update existing roles to enforce least-access privileges to Prisma Cloud features, limiting access to only those functions that align with a user’s job responsibilities.
GRBAC creates a dynamic experience for Prisma Cloud users, with a customizable console that displays only the features assigned to any given user, providing an additional layer of security.
CWP Widgets in Adoption Advisor
The Adoption Advisor includes two new widgets for Cloud Workload Protection (CWP).
  • Discovered Vs Secured Resources—
    With this widget you can now gain visibility into the protection coverage of your cloud environment. You can now review the resources discovered through Cloud Discovery and compare them with the defenders that have been deployed.
  • Vulnerability Trends—
    With this widget you can now track the impacted resources for vulnerabilities discovered and resolved over time across images, hosts, containers, and functions.

API Ingestions

SERVICE
API DETAILS
Amazon DevOps Guru
aws-devops-guru-service-integration
Additional permission required:
devops-guru:DescribeServiceIntegration
Amazon Kinesis Data Analytics
aws-kinesisanalyticsv2-application
Additional permission required:
  • kinesisanalytics:ListTagsForResource
  • kinesisanalytics:ListApplications
  • kinesisanalytics:DescribeApplication
The Security Audit role includes only
kinesisanalytics:ListApplications
permission.
You must add the permissions manually or use CFT template to update the following permissions:
  • kinesisanalytics:ListApplications
  • kinesisanalytics:DescribeApplication
AWS Account Management
aws-account-management-alternate-contact
Additional permission required:
account:GetAlternateContact
Azure App Service
azure-app-service-deployment-slots
Additional permissions required:
  • Microsoft.Web/sites/slots/read
  • Microsoft.Web/serverfarms/sites/read
The Reader role includes the permissions.
Azure App Service
azure-visual-studio-accounts
Additional permission required:
Microsoft.VisualStudio/Account/Read
The Reader role includes the permission.
Azure Bot Service
azure-botservice-bots
Additional permission required:
Microsoft.BotService/botServices/read
The Reader role includes the permission.
Azure Chaos Studio
azure-chaos-experiments
Additional permission required:
Microsoft.Chaos/experiments/read
The Reader role includes the permission.
Azure Confidential Ledger
azure-confidential-ledgers
Microsoft.ConfidentialLedger/ledgers/read
The Reader role includes the permission.
Azure Defender for Cloud
azure-iot-security-solutions
Additional permission required:
Microsoft.Security/iotSecuritySolutions/read
The Reader role includes the permission.
Azure DevOps
azure-devops-pipelines
Additional permission required:
Microsoft.DevOps/pipelines/read
The Reader role includes the permission.
Azure Kusto
azure-kusto-clusters
Additional permission required:
Microsoft.Kusto/Clusters/read
The Reader role includes the permission.
Azure Lab Services
azure-labservices-labs
Additional permission required:
Microsoft.LabServices/labs/read
The Reader role includes the permission.
Azure Logic Apps
azure-logic-app-integration-account
Additional permission required:
Microsoft.Logic/integrationAccounts/read
The Reader role includes the permission.
Azure Storage
azure-storage-account-keys
Additional permissions required:
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/listKeys/action
The Reader role includes the permissions.
Azure Synapse Analytics
azure-synapse-workspace
Additional permission required:
Microsoft.Synapse/workspaces/read
The Reader role includes the permission.
Azure Virtual WAN
azure-virtual-wan-list
Additional permission required:
Microsoft.Network/virtualWans/read
The Reader role includes the permission.
Azure Video Indexer
azure-video-indexer-accounts
Additional permission required:
Microsoft.VideoIndexer/accounts/read
The Reader role includes the permission.
Azure Visual Studio
azure-web-static-sites
Additional permission required:
Microsoft.Web/staticSites/Read
The Reader role includes the permission.
Google Vertex AI
gcloud-vertex-ai-notebook-instance
Additional permissions required:
  • notebooks.locations.list
  • notebooks.instances.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
The Viewer role includes the permissions.
Google Workflows
gcloud-workflows-workflow
Additional permissions required:
  • workflows.locations.list
  • workflows.workflows.list
The Viewer role includes the permissions.

New Policies

No new policies in 22.10.2.

Policy Updates

See Prisma Cloud Known Issues for a policy status change issue that may affect you.
POLICY UPDATE
DESCRIPTION
Anomaly Policy Update
The Port scan activity (External) anomaly policy is modified to make it easier to identify cloud resources that are being actively scanned by suspicious actors on the internet. In the alert details, the
Resource Name
now displays your internal resource (target host) that is being scanned instead of the public IP address of the source (suspicious actor) host that is performing the scan.
The change also impacts the number of port scan alerts generated on Prisma Cloud. Earlier, multiple hosts scanning the same internal resource (target host) triggered many alerts. Now, the multiple hosts scanning the same instance will trigger a single alert and record the IP address of the external host from the most recent scan.
The change only applies to any new alerts generated for the Port scan activity (External) policy. For existing alerts, the public IP address of the source host performing the scan will remain in the
Resource Name
field.

Change in Existing Behavior

FEATURE
DESCRIPTION
Resource ID Update for Google Cloud Armor
The resource ID is updated in the backend for
gcloud-armor-security-policy
API in Prisma Cloud. Due to this, all the resources for
gcloud-armor-security-policy
will be deleted once and then regenerated on the management console.
Existing alerts corresponding to this resource is resolved as
Resource_Updated
, and new alerts will be generated against policy violations.
Impact—
You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for
gcloud-armor-security-policy
start ingesting data again

REST API Updates

CHANGE
DESCRIPTION
Permission Group APIs
The following new endpoints are available for Permission Group APIs:

New Features

FEATURE
DESCRIPTION
Prisma Cloud Service in France
Prisma Cloud tenant (app.fr.prismacloud.io) is now available for the France region starting October 10th, 2022.
Update
Default Alert Rule
To reduce Alert fatigue, the default alert rule now includes only the
Prisma Cloud Recommended
OOTB policies, for Prisma Cloud tenants created after the 22.10.1 release. You can filter these policies using the
Prisma_Cloud
label.

API Ingestions

SERVICE
API DETAILS
Amazon Macie
aws-macie2-session
Additional permissions required:
  • macie2:GetClassificationExportConfiguration
  • macie2:GetMacieSession
  • macie2:GetRevealConfiguration
  • macie2:GetFindingsPublicationConfiguration
Amazon MemoryDB
aws-memorydb-parameter-group
Additional permissions required:
  • memorydb:DescribeParameters
  • memorydb:DescribeParameterGroups
  • memorydb:ListTags
Amazon MemoryDB
aws-memorydb-cluster
Additional permissions required:
  • memorydb:DescribeClusters
  • memorydb:ListTags
Update
Amazon Glue
aws-glue-datacatalog
Two new fields added:
  • CatalogId
  • RegionId
Azure Cosmos DB
azure-documentdb-cassandra-clusters
Additional permission required:
Microsoft.DocumentDB/cassandraClusters/read
The Reader role includes the permission.
Azure Dev Test Labs
azure-devtestlab-global-schedules
Additional permission required:
Microsoft.DevTestLab/schedules/read
The Reader role includes the permission.
Azure Digital Twins
azure-digital-twins
Additional permission required:
Microsoft.DigitalTwins/digitalTwinsInstances/read
The Reader role includes the permission.
Azure Event Grid
azure-event-grid-domains
Additional permission required:
Microsoft.EventGrid/domains/read
The Reader role includes the permission.
Azure Healthcare Apis
azure-healthcare-apis-workspaces
Additional permission required:
Microsoft.HealthcareApis/workspaces/read
The Reader role includes the permission.
Azure Health Bot
azure-healthbot-bots
Additional permission required:
Microsoft.HealthBot/healthBots/Read
The Reader role includes the permission.
Azure IoT Central
azure-iot-central-apps
Additional permission required:
Microsoft.IoTCentral/IoTApps/read
The Reader role includes the permission.
Azure IoT Hub
azure-devices-iot-hub-resource
Additional permission required:
Microsoft.Devices/iotHubs/Read
The Reader role includes the permission.
Azure Load Testing
azure-loadtest-service-load-tests
Additional permission required:
Microsoft.LoadTestService/loadTests/read
The Reader role includes the permission.
Azure Managed Applications
azure-solutions-applications
Additional permission required:
Microsoft.Solutions/applications/read
The Reader role includes the permission.
Azure Maps Management
azure-maps-accounts
Additional permission required:
Microsoft.Maps/accounts/read
The Reader role includes the permission.
Azure Mixed Reality
azure-mixed-reality-object-anchors-accounts
Additional permission required:
Microsoft.MixedReality/ObjectAnchorsAccounts/read
The Reader role includes the permission.
Azure Network Function
azure-network-function-traffic-collectors
Additional permission required:
Microsoft.NetworkFunction/azureTrafficCollectors/read
The Reader role includes the permission.
Azure Orbital
azure-orbital-spacecrafts
Additional permission required:
Microsoft.Orbital/spacecrafts/read
The Reader role includes the permission.
Azure Resource Mover
azure-migrate-move-collections
Additional permission required:
Microsoft.Migrate/moveCollections/read
The Reader role includes the permission.
Azure StorSimple
azure-storsimple-managers
Additional permission required:
Microsoft.StorSimple/managers/read
The Reader role includes the permission.
Azure Stream Analytics
azure-streamanalytics-clusters
Additional permission required:
Microsoft.StreamAnalytics/clusters/Read
The Reader role includes the permission.
Azure Test Base
azure-test-base-accounts
Additional permission required:
Microsoft.TestBase/testBaseAccounts/read
The Reader role includes the permission.
Azure Time Series Insights
azure-timeseriesinsights-environments
Additional permission required:
Microsoft.TimeSeriesInsights/environments/read
The Reader role includes the permission.
Azure Web PubSub Service
azure-signalrservice-web-pub-sub
Additional permission required:
Microsoft.SignalRService/WebPubSub/read
The Reader role includes the permission.
Google Compute Engine
gcloud-compute-autoscaler
Additional permission required:
compute.autoscalers.list
The Viewer role includes the permission.
Google Dataplex
gcloud-dataplex-lake-environment
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.environments.list
  • dataplex.environments.getIamPolicy
The Viewer role includes the permissions.
Google Dataplex
gcloud-dataplex-lake-zone
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.zones.list
  • dataplex.zones.getIamPolicy
The Viewer role includes the permissions.

New Policies

No new policies for 22.10.1.

Policy Updates

No policy updates for 22.10.1.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for CIS Microsoft Azure Foundations Benchmark v1.5.0 - Level 1 and Level 2
Support is now available for CIS Azure Foundations Benchmark version 1.5.0. It is a compliance standard for securing Microsoft Azure resources. This benchmark provides prescriptive guidelines for configuring Azure services in accordance with industry best practices.
Support for CIS Amazon Web Services Foundations Benchmark v1.5.0 - Level 1 and Level 2
Support is now available for CIS Amazon Web Services Foundations Benchmark version 1.5.0. This benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services on foundational, testable, and architecture-agnostic settings.
Support for Fedramp Moderate and Low Control Standards
Support is now available for Federal Risk and Authorization Management Program (FedRAMP) Moderate and Low control standards. The security controls outlined in FedRAMP are based on NIST Special Publication 800-53, which provides the standards and security requirements for federal government information systems.

Change in Existing Behavior

FEATURE
DESCRIPTION
Global Region Support for Google API Keys
Prisma Cloud now provides global region support for
gcloud-api-key
. Due to this, all the resources will be deleted once, and then regenerated on the management console.
Existing alerts corresponding to these resources are resolved as
Resource_Updated
, and new alerts will be generated against policy violations.
Impact—*You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once theresources for *gcloud-api-key
start ingesting data again.

REST API Updates

No REST API updates for 22.10.1.

Recommended For You