: Features Introduced in April 2023
Focus
Focus

Features Introduced in April 2023

Table of Contents

Features Introduced in April 2023

Learn what’s new on Prisma™ Cloud in April 2023.

New Features

FEATURE
DESCRIPTION
Simplified Onboarding of AWS, Azure, and GCP Cloud Accounts
Prisma Cloud now provides a simplified onboarding experience to adapt to your security priorities in a streamlined manner with support for CSPM, CWPP, Data Security, and Identity Security grouped as Foundational and/or Advanced capabilities (with a few enabled by default). The updated onboarding workflow provides a Faster First Time to Value (FTTV) by allowing you to onboard your AWS, Azure, or GCP cloud accounts and selecting the security capabilities in fewer clicks.
Support for New Regions on GCP
Prisma Cloud now ingests data for resources deployed in the Doha and Turin cloud regions on GCP.
To review a list of supported regions, select
Inventory
Assets
, and choose Cloud Region from the filter drop-down.
Addition of New IP Addresses
Prisma Cloud has added new NAT IP addresses to the existing list. Make sure to review the list and update the IP addresses in your allow lists.
Enhancement
Intelligent Network Graph Provides Contextual View
Enhancements to Prisma Cloud’s Investigate Graph provide you with a comprehensive understanding of where your assets are deployed, potential environmental vulnerabilities and their risk level, to help you determine if further investigation is warranted.
The new Intelligent Network Graph now provides a contextual view of cloud traffic patterns by automatically grouping assets based on parent relationships and creating a top-down hierarchy for every IP address associated with Prisma Cloud monitored assets.
Expand the graph to the level of the asset you’re investigating and select
View Details
link in the sidecar to analyze specific network traffic flows.
You can also download a CSV report of the traffic flow of your entire network, a node, an instance, or a specific connection between a source and a destination node.
You can save Searches under
My Saved Searches
. Use Saved Searches to create custom policies to generate alerts when a specific pattern of network flow is detected.
Enhancement
Adoption Advisor Thresholds
The thresholds on the Adoption Advisor are updated to give you a more accurate progress indicator for the following checks:
  • Onboard and Configure Cloud Accounts
  • Enable Audit Logs
  • Enable Flow Logs
  • Define Alert Rules
  • Policies— Create Config Policies, Create Network Policies, and Create Audit Policies
With this enhancement, your adoption progress should better reflect the checks you’re enforcing for your business needs, making it easier for you to see how well you’re doing.
Enhancement
IsSubset method for RQL _Set function
The
_Set function
is enhanced to add support for the
_Set.isSubset
method that enables you to identify whether a specific value or comma separated list of values returned by the JSON path of the resource is fully contained within the target list.
The syntax is:
_Set.isSubset(<path>, <targelist>) is [ true | false ]
where
<path> = JSON path
<target_list> = a set of strings without any whitespace.
Example:
config from cloud.resource where api.name= 'aws-ec2-describe-security-groups' AND json.rule = groupName contains rql and _Set.isSubset(tags[*].key,(Name,"no_value",rql***auto)) is true

API Ingestions

SERVICE
API DETAILS
Amazon Firewall Manager
aws-fms-admin-account
Additional permission required:
  • fms:GetAdminAccount
You must manually add the permission or update the CFT template to enable them.
Amazon Firewall Manager
aws-fms-compliance-status
Additional permissions required:
  • fms:ListPolicies
  • fms:ListComplianceStatus
The Security Audit role includes the permissions.
Amazon Firewall Manager
aws-fms-policy
Additional permissions required:
  • fms:GetAdminAccount
  • fms:ListPolicies
  • fms:GetPolicy
The Security Audit role only includes the permission
fms:ListPolicies
.
You must manually add the permissions or update the CFT template to enable
fms:GetPolicy
and
fms:GetAdminAccount
.
Update
Amazon RDS
aws-rds-db-cluster
This API is updated to include a new field
dBclusterParameterGroupArn
in the resource JSON.
Azure CDN
azure-frontdoor-standardpremium-origin-groups
Additional permissions required:
  • Microsoft.Cdn/profiles/read
  • Microsoft.Cdn/profiles/origingroups/read
The Reader role includes the permissions.
Azure CDN
azure-frontdoor-standardpremium-security-policies
Additional permissions required:
  • Microsoft.Cdn/profiles/read
  • Microsoft.Cdn/profiles/securitypolicies/read
The Reader role includes the permissions.
Update
Azure Event Hubs
azure-event-hub-namespace
This API is updated to include the following new fields in the resource JSON:
  • MinimumTlsVersion
  • disableLocalAuth
Update
Azure Service Bus
azure-service-bus-namespace
This API is updated to include a new field
MinimumTlsVersion
in the resource JSON.
Google Cloud Function
gcloud-cloud-function-v2
Additional permissions required:
  • cloudfunctions.locations.list
  • cloudfunctions.functions.list
  • cloudfunctions.functions.getIamPolicy
The Viewer role includes the permissions.
Google Cloud Memorystore for Memcached
gcloud-memorystore-memcached-instance
Additional permissions required:
  • memcache.locations.list
  • memcache.instances.list
The Viewer role includes the permissions.
OCI Database
oci-database-autonomous-database
Additional permission required:
  • AUTONOMOUS_DATABASE_INSPECT
You must download and execute the Terraform template from the console to enable the permission.
OCI Database
oci-database-db-home
Additional permission required:
  • DB_HOME_INSPECT
You must download and execute the Terraform template from the console to enable the permission.
OCI Database
oci-database-db-home-patch
Additional permission required:
  • DB_HOME_INSPECT
You must download and execute the Terraform template from the console to enable the permission.
OCI Database
oci-database-db-system-patch
Additional permission required:
  • DB_SYSTEM_INSPECT
You must download and execute the Terraform template from the console to enable the permission.
OCI DataLabeling
oci-datalabeling-dataset
Additional permissions required:
  • DATA_LABELING_DATASET_INSPECT
  • DATA_LABELING_DATASET_READ
You must download and execute the Terraform template from the console to enable the permissions.
OCI File Storage
oci-file-storage-mount-target
Additional permissions required:
  • COMPARTMENT_INSPECT
  • MOUNT_TARGET_INSPECT
  • MOUNT_TARGET_READ
You must download and execute the Terraform template from the console to enable the permissions.
OCI JMS
oci-jms-fleet
Additional permissions required:
  • FLEET_INSPECT
  • FLEET_READ
You must download and execute the Terraform template from the console to enable the permissions.
OCI Service Mesh
oci-service-mesh-access-policy
Additional permissions required:
  • MESH_ACCESS​_POLICY_LIST
  • MESH_ACCESS​_POLICY_READ
You must download and execute the Terraform template from the console to enable the permissions.
OCI Service Mesh
oci-service-mesh-virtual-deployment
Additional permissions required:
  • MESH_VIRTUAL​_DEPLOYMENT_LIST
  • MESH_VIRTUAL​_DEPLOYMENT_READ
  • MESH_VIRTUAL_DEPLOYMENT​_PROXY_CONFIG_READ
  • MESH_PROXY_DETAILS_READ
You must download and execute the Terraform template from the console to enable the permissions.
OCI Service Mesh
oci-service-mesh-meshes
Additional permissions required:
  • SERVICE_MESH_LIST
  • SERVICE_MESH_READ
You must download and execute the Terraform template from the console to enable the permissions.
OCI Speech
oci-speech-transcription-job
Additional permissions required:
  • AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_INSPECT
  • AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ
You must download and execute the Terraform template from the console to enable the permissions.
OCI Vision
oci-vision-model
Additional permissions required:
  • AI_SERVICE_VISION_MODEL_INSPECT
  • AI_SERVICE_VISION_MODEL_READ
You must download and execute the Terraform template from the console to enable the permissions.
OCI Vision
oci-vision-project
Additional permissions required:
  • AI_SERVICE_VISION_PROJECT_INSPECT
  • AI_SERVICE_VISION_PROJECT_READ
You must download and execute the Terraform template from the console to enable the permissions.

New Policies

NEW POLICIES
DESCRIPTION
Workload Protection Policies
For protecting hosts and containers from runtime incidents and detecting vulnerabilities on these workloads, you have 3 new out-of-the-box policies:
  • Serverless Functions detected with known Vulnerabilities (Workload Vulnerability)
  • Host VM Images detected with known Vulnerabilities (Workload Vulnerability)
  • Apps Embedded detected with Runtime Incidents (Workload Incident)
To find these policies, select
Policies
and filter on the
Policy Type
Workload Incident and Workload Vulnerability.
The
Apps Embedded detected with Runtime Incidents
policy will only work for GCP GCR and AWS Fargate, not AWS EKS and Azure ACI.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and unusual high volume data transfer activity
Identifies AWS EC2 instances which are publicly exposed, have critical or high vulnerabilities and high volume data transfer activity. The high volume data transfer could be a data exfiltration attempt. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Attackers can exploit vulnerabilities on the EC2 instance to compromise the confidentiality, integrity and availability of the affected EC2 instance and perform malicious actions. If network connectivity with remote systems known for high volume data transfer activity is observed on a publicly exposed and exploitable EC2 instance, it could indicate that the instance is already under attack or has been compromised. Immediate attention is required to investigate the high volume data transfer activity, remediate the critical or high vulnerabilities and restrict the public exposure reported for the EC2 instance as soon as possible.
Policy Severity—
Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and cryptomining domain request activity
Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for cryptomining domain request activities. Cryptomining domain request initiates suspicious DNS queries to domain names that are associated with known crypto-mining pools to generate new coins in cryptocurrencies such as Bitcoin and Monero. The network connectivity with remote systems known for cryptomining domain request on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised.
Policy Severity—
Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and DGA domain request activity
Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for DGA domain request activities. Domain generation algorithms (DGAs) are used to generate pseudo-random domain names, typically in large numbers within the context of establishing a malicious command-and-control (C2) communications channel. The network connectivity with remote systems known for DGA domain request activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised.
Policy Severity—
Critical.

Policy Updates

No Policy Updates for 23.4.2.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Rate Limit Exception for GCP APIs
The API calls from Prisma Cloud now use quota from the onboarded GCP Projects instead of the GCP Project where the service account is created. This change enables Prisma Cloud to ingest resource metadata across multiple projects without exceeding the GCP API rate limits.
To ensure continuous insights into all of your GCP resources and to prevent rate limit exception errors, follow the steps listed in prerequisites to onboard GCP and make sure to complete them.
If you use the Terraform template provided by Prisma Cloud, the required permissions to the GCP service account are automatically enabled.
Impact
— Not completing the tasks may result in rate limit exception errors for Prisma Cloud’s authorized API calls to GCP.
Update for Google Compute APIs
Prisma Cloud now provides global region support, as well as a backend update to the resource ID for
gcloud-compute-internal-lb-backend-service
API. As a result, all resources for these APIs will be deleted and then regenerated on the management console.
Existing alerts corresponding to these resources will be resolved as Resource_Updated, and new alerts will be generated against policy violations if any.
Impact
—You may notice a reduced alert count. However, once the resources for
gcloud-compute-internal-lb-backend-service
resume ingesting data, the alert count will return to the original numbers.

REST API Updates

CHANGE
DESCRIPTION
Cloud Accounts Endpoints
The following new endpoints are now available for the Cloud Accounts API:
Data Security Settings Endpoints
The following new endpoints are now available for the Data Security Settings API:
New APIs for Onboarding GCP Cloud Accounts
The following new endpoints are now available for the Cloud Accounts API.
New API to Get Cloud Account Deployment Types
The following new endpoint is added to get the deployment types of a cloud account. This endpoint is supported only for Alibaba account.
New Parameter Added for Alibaba Account
A new parameter
deployment type
is added to the request or response body of the following endpoints. This parameter is supported only for Alibaba accounts.

Deprecation Notice

FEATURE
DESCRIPTION
End of Support for AWS Classic EC2 Service
The
aws-ec2-classic-instance
API is planned for deprecation at the end of April 2023. As AWS has announced the depreciation of the resource type, Prisma Cloud will no longer ingest the
aws-ec2-classic-instance
API. For more information, see Retiring EC2-Classic Networking.
Prisma Cloud Data Security v1, v2 APIs
The following Prisma Cloud Data Security APIs (v1, v2) for AWS cloud account onboarding, data settings, data profiles, snippets, and data patterns are deprecated:
Cloud Accounts Endpoints
  • Add Data Security Config (AWS Org) -
    POST /dlp/api/config/v2
  • Update Data Security Config (AWS Org) -
    PUT /dlp/api/config/v2
  • Check Data Security Preconditions (AWS Org) -
    POST /dlp/api/v1/config/awsorg/status
  • Get Data Security Config (AWS Org) -
    GET /dlp/api/config/v2/:accountId
Data Security Settings Endpoints
  • List Data Resources -
    GET /dlp/api/v1/resource-inventory/resources
  • Update Data Scan Config -
    PUT /dlp/api/config/v2/resource
  • List Data Patterns -
    PUT /dlp/api/v1/dss-api/data-pattern
  • Add Data Pattern -
    POST /dlp/api/v1/dss-api/data-pattern
  • Clone Data Pattern -
    POST /dlp/api/v1/dss-api/data-pattern/clone
  • Get Data Pattern Details -
    GET /dlp/api/v1/dss-api/data-pattern/id/:patternId
  • Get Data Pattern By Name -
    GET /dlp/api/v1/dss-api/data-pattern/name
  • Update Data Pattern -
    PUT /dlp/api/v1/dss-api/data-pattern/:patternId
  • Delete Data Pattern -
    DELETE /dlp/api/v1/dss-api/data-pattern/:patternId
  • List Data Profiles -
    GET /dlp/api/v1/dss-api/data-profile
  • Add Data Profile -
    POST /dlp/api/v1/dss-api/data-profile
  • Update Data Profile Status -
    PUT /dlp/api/v1/dss-api/data-profile
  • Get Data Profile Details -
    GET /dlp/api/v1/dss-api/data-profile/id/:profileId
  • Update Data Profile -
    PUT /dlp/api/v1/dss-api/data-profile/id/:profileId
  • Clone Data Profile -
    POST /dlp/api/v1/dss-api/data-profile/id/:profileId
  • Delete Data Profile -
    DELETE /dlp/api/v1/dss-api/data-profile/id/:profileId
  • Get Snippet Configuration -
    GET /dlp/api/v1/dss-api/snippets
  • Update Snippet Configuration -
    POST /dlp/api/v1/dss-api/snippets

New Features

FEATURE
DESCRIPTION
Support for New Region on AWS
Prisma Cloud now ingests data for resources deployed in the Hyderabad cloud region on AWS.
To review a list of supported regions, select
Inventory
Assets
, and choose Cloud Region from the filter drop-down.
Enhancement
OCI Terraform File Update
Prisma Cloud now supports over 100 IAM policy statements without requiring a service limit increase from OCI. With this change, you must update your existing Terraform file to enable read permissions for all the supported services necessary for an OCI tenant on Prisma Cloud.

API Ingestions

SERVICE
API DETAILS
Azure Virtual WAN
azure-vpn-server-configurations
Additional permission required:
  • Microsoft.Network/vpnServerConfigurations/read
The Reader role includes the permission.
Azure Virtual WAN
azure-p2s-vpn-gateway
Additional permission required:
  • Microsoft.Network/p2sVpnGateways/read
The Reader role includes the permission.
Google Certificate Authority Service
gcloud-certificate-authority-certificate-template
Additional permissions required:
  • privateca.locations.list
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.getIamPolicy
The Viewer role includes the permissions.
Google Traffic Director Network Service
gcloud-traffic-director-network-service-gateway
Additional permissions required:
  • networkservices.locations.list
  • networkservices.gateways.list
The Viewer role includes the permissions.
Google Traffic Director Network Service
gcloud-traffic-director-network-service-mesh
Additional permissions required:
  • networkservices.locations.list
  • networkservices.meshes.list
  • networkservices.meshes.getIamPolicy
The Viewer role includes the permissions.

New Policies

NEW POLICIES
DESCRIPTION
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and malware activity
Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for malware activities. Malware includes viruses, trojans, worms and other types of malware that affect the popular open-source operating system. The network connectivity with remote systems known for malware activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised.
Policy Severity—
Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and botnet activity
Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for botnet activities. A Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection. The network connectivity with remote systems known for botnet activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised.
Policy Severity—
Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and cryptominer activity
Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for cryptominer activities. Cryptominer hides on computers or mobile devices to surreptitiously use the machine’s resources to mine cryptocurrencies. The network connectivity with remote systems known for cryptominer activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised.
Policy Severity—
Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and backdoor activity
Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for backdoor activities. A backdoor allows unauthorized remote access to the instances where the malware is installed while bypassing the authentication mechanisms in place. The network connectivity with remote systems known for backdoor activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised.
Policy Severity—
Critical.

Policy Updates

No Policy Updates for 23.4.1.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for ISO/IEC 27001:2022
Prisma Cloud now supports the ISO/IEC 27001:2022 compliance standard.
ISO/IEC 27001:2022 provides guidelines for organizational information security standards and information security management practices, including the selection, implementation, and management of controls while taking the organization’s information security risk environment into account.
With this support, you can now view this built-in standard and the related policies on Prisma Cloud’s
Compliance > Standard
page. Additionally, you can generate reports for immediate viewing or download, or you can schedule recurring reports to keep track of this compliance standard over time.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Changes to Policy Severity Level
First announced in 23.2.1
Prisma Cloud updated the system default policies to help you identify critical alerts and address them effectively. The policy severity levels for some system default policies are re-aligned to use the newly introduced
Critical
and
Informational
severities. Due to this change, the policies have five levels of severity; Critical, High, Medium, Low, and Informational. You can prioritize critical alerts first and then move on to the other levels. For more information, see the updated list of policies.
Impact—
  • Your existing open alerts associated with updated policies will have a change in their severity levels.
  • If you have Alert rules set up based on the
    Policy Severity
    filter, there may be a decrease or increase in the number of alerts.
  • The overall Compliance posture may change due to possible alert number changes.
  • If you have alert rules configured for external integrations such as ServiceNow, this shift in the number of alerts may result in sending notifications for the Resolved or Open alerts.
  • If you change a custom severity of a policy back to the default severity, the new severity update will apply.
This update will not affect the severities of your custom policies or the system default policies for which you have manually changed the severities (custom severity). Also, if you have included a policy in at least one other alert rule
(not based on severity filter)
, there will be no change in the alert numbers.
If you have any questions, contact your Prisma Cloud Customer Success Representative.
Update for Google Compute APIs
Prisma Cloud now provides global region support, as well as a backend update to the resource ID for
gcloud-compute-url-maps
,
gcloud-compute-target-http-proxies
, and
gcloud-compute-target-https-proxies
APIs. As a result, all resources for these APIs will be deleted and then regenerated on the management console.
Existing alerts corresponding to these resources will be resolved as Resource_Updated, and new alerts will be generated against policy violations if any.
Impact
—You may notice a reduced alert count. However, once the resources for
gcloud-compute-url-maps
,
gcloud-compute-target-http-proxies
, and
gcloud-compute-target-https-proxies
resume ingesting data, the alert count will return to the original numbers.

REST API Updates

CHANGE
DESCRIPTION
New APIs for Onboarding Azure Cloud Accounts
The following new endpoints are now available for the Cloud Accounts API.
New APIs for Data Security Onboarding
The following new endpoints are now available for the Data Security Onboarding API.

Recommended For You