Features Introduced in March 2023
Learn what’s new on Prisma™ Cloud in March 2023.
New Features Introduced in 23.3.2
New Features
FEATURE | DESCRIPTION |
Support for New Regions on GCP | Prisma Cloud now ingests data for resources deployed in the Madrid, Milan, Paris, Tel Aviv, Toronto, Santiago, Columbus, and Dallas cloud regions on GCP. To review a list of supported regions, select , and choose Cloud Region from the filter drop-down.  |
API Ingestions
SERVICE | API DETAILS |
Update AWS Config | aws-configservice-describe-configuration-recorders This API is updated with an additional field region in the resource JSON. |
AWS Network Firewall | aws-network-firewall-firewall-policy Additional permissions required:
You must manually add the permissions or update the CFT template to enable them. Not supported in AWS China. |
AWS Network Firewall | aws-network-firewall-firewall Additional permissions required:
The Security Audit role only includes the permission. You must manually add permission or update the CFT template to enable it. Not supported in AWS China. |
AWS Systems Manager | aws-ssm-resource-compliance-summary Additional permission required:
The Security Audit role includes the permission. |
Google Cloud Firestore | gcloud-cloud-firestore-native-database Additional permission required:
The Viewer role includes the permission. |
Google Anthos GKE Fleet Management | gcloud-anthos-gke-fleet-membership Additional permissions required:
The Viewer role includes the permissions. |
Google Anthos GKE Fleet Management | gcloud-anthos-gke-fleet-feature Additional permissions required:
The Viewer role includes the permissions. |
Update Google Certificate Authority Service | Additional permission is required for the following APIs:
The Viewer role includes the permission. |
Update Google Dataplex | gcloud-dataplex-lake-zone-asset-action Additional permission required:
The Viewer role includes the permission. |
Update API Gateway | gcloud-apigateway-gateway Additional permission required:
The Viewer role includes the permission. |
New Policies
No New Policies for 23.3.2.
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates-RQL | |
AWS Cloudfront Distribution with S3 have Origin Access set to disabled | Changes— The policy RQL is updated to include the new feature of AWS origin access control.Current RQL—
Updated RQL—
Impact— Medium. Existing open alerts related to AWS feature Origin Access Control will be resolved with resolution as Policy_Updated . |
AWS access keys not used for more than 90 days | Changes— The policy name, description, and RQL are updated to meet the compliance standard of 45 days.Updated Policy name— AWS Access key not used for more than 45 daysUpdated Description— This policy identifies IAM users for which access keys are not used for more than 45 days. Access keys allow users programmatic access to resources. However, if any access key has not been used in the past 45 days, then that access key needs to be deleted (even though the access key is inactive).Current RQL—
Updated RQL—
Impact— High. The alert count will increase for access keys that have not been used in more than 45 days. |
GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK) | Changes— The policy RQL is updated to check the GCP compute disks that are not encrypted with CSEK.Current RQL—
Updated RQL—
Impact— Low. New alerts may be generated when the VM disks are not encrypted with CSEK. No impact on existing alerts. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Support for ISO/IEC 27002:2022 | Prisma Cloud now supports the ISO/IEC 27002:2022 compliance standard. ISO/IEC 27002:2022 provides guidelines for organizational information security standards and information security management practices, including the selection, implementation, and management of controls while taking the organization’s information security risk environment into account. With this support, you can now view this built-in standard and the related policies on Prisma Cloud’s Compliance > Standard page. Additionally, you can generate reports for immediate viewing or download, or you can schedule recurring reports to keep track of this compliance standard over time. |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Global Region Support for Target ssl proxy | Prisma Cloud now provides global region support for gcloud-compute-target-ssl-proxy API. Due to this, all the resources will be deleted and then regenerated on the management console.Existing alerts corresponding to these resources are resolved as Resource_Updated , and new alerts will be generated against the policy violations.Impact— You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for gcloud-compute-target-ssl-proxy start ingesting data again. |
Update Prisma Cloud Data Security IP Addresses | The list of source IP addresses for data security in US and EU regions are updated. Make sure you review the list, add the new IP addresses in your allow lists, and remove the old ones. US New IPs (to add)
US Old IPs (to remove)
EU New IPs (to add)
EU Old IPs (to remove)
|
REST API Updates
No REST API Updates for 23.3.2.
New Features Introduced in 23.3.1
New Features
FEATURE | DESCRIPTION |
GRBAC now available for Data Security | Granular Role Based Access Control (GRBAC) is now available for Data Security functionality in Prisma Cloud. You can now create Custom Roles with the option to View , Create , Update or Delete Data Security functions. GRBAC allows you to enforce least privileged access, giving you the option to create roles with the minimum amount of access to Data Security required for a users job function. Custom Role creation is limited to users with a current System Administrator role. |
Task Delegation on Adoption Advisor | For operationalizing the security capabilities available on Prisma Cloud, you can now assign tasks to specific members on your team so that the right person is assigned and accountable for completing the task and making progress. The Assignee receives an email with a link to the appropriate page on the administrative console where the Adoption Advisor side panel provides guidance on the high-level steps to complete the task and the documentation link for more details.  |
Vulnerabilities displayed in Command Center | The Command Center dashboard on the Prisma Cloud console now includes a snapshot view of Urgent Vulnerabilities, Top 5 Vulnerable Images, and Top 5 Vulnerable Hosts. Vulnerabilities triggering Critical and High alerts are grouped into these actionable views, giving you insight into the impacted resources in your environment and providing you with remediation options. You can view data for the past 30 days and also filter results by:
Currently, only System Administrators can view the Vulnerabilities widget. The Vulnerability dashboard is also currently not available for Government and China based deployments.  |
Prisma Cloud Chronicles | The Chronicles is a weekly email update to summarize your team’s usage of Prisma Cloud, suggest product adoption improvements and links to the Release Notes to show what’s new, and provide actionable opportunities to secure your cloud environment.  |
Support for Finance Regions on Alibaba Cloud | Prisma Cloud now ingests data for resources deployed in Alibaba Finance Cloud for Hangzhou, Shanghai, and Shenzhen regions.
To review a list of supported regions, select , and choose Cloud Region from the filter drop-down.  |
Enhancement Separate Text Boxes for Key and Value Entries | If you are using tags, you no longer need to use a colon (:) to separate key and value entries in a single text box while assigning resource tags on Alert Overview and Asset Inventory . You can now enter Key and Value in separate text boxes. |
Enhancement Asset Inventory | The text strings displayed in Asset Inventory are improved for better readability and accuracy.
 |
API Ingestions
SERVICE | API DETAILS |
Azure Defender for Cloud | azure-defender-for-cloud-workspace-setting Additional permission required:
The Reader role includes the permission. |
Azure Defender for Cloud | azure-defender-for-cloud-setting Additional permission required:
The Reader role includes the permission. |
Azure Defender for Cloud | azure-defender-for-cloud-security-contact Additional permission required:
The Reader role includes the permission. |
Azure Defender for Cloud | azure-defender-for-cloud-secure-score Additional permission required:
The Reader role includes the permission. |
Azure Batch Account | azure-batch-account-pool Additional permissions required:
The Reader role includes the permissions. |
Google Cloud Deploy | gcloud-cloud-deploy-configuration Additional permissions required:
The Viewer role includes the permissions. |
Google Cloud Deploy | gcloud-cloud-deploy-delivery-pipeline Additional permissions required:
The Viewer role includes the permissions. |
Google Cloud Deploy | gcloud-cloud-deploy-target Additional permissions required:
The Viewer role includes the permissions. |
New Policies
NEW POLICIES | DESCRIPTION |
Attack Path Policies | To help prioritize alerts and mitigate security issues, Prisma Cloud provides 5 new out-of-the-box Attack Path policies that are of critical severity and enabled by default. The Attack Path policies are:
This policy identifies AWS EC2 instances with s3:GetObject permission which are publicly exposed and not configured with Instance Metadata Service v2 (IMDSv2). With IMDSv2, every request is protected by session authentication. IMDSv2 protects against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched SSRF vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation. As a best practice, only use IMDSv2 for all your EC2 instances.
This policy identifies AWS EC2 instances with risky permissions and are publicly exposed. EC2 instances associated with 'iam:PassRole','ec2:RunInstances' permissions can be used to escalate privileges by passing an existing IAM role to a new EC2 instance and moving laterally. It is highly recommended that you remove the risky permissions from the IAM role attached to EC2 instances. Additionally, review and restrict the public exposure based on the business requirements.
This policy identifies AWS EC2 instances which with risky ORG level WRITE permissions and are publicly exposed. EC2 instances having org level write permissions can be used to escalate privileges at the ORG level and move laterally between accounts. It is highly recommended to remove the risky permissions from the IAM role attached to EC2 instances. Additionally, review and restrict the public exposure based on the business requirements.
This policy identifies AWS EC2 instances which have known exploitable vulnerabilities and are publicly exposed. An attacker can exploit the vulnerability to compromise the confidentiality, integrity, or availability of the affected EC2 instance and perform malicious actions. As a best practice, remediate the Critical/High exploitable vulnerabilities reported for EC2 instances. Additionally, review and restrict the public exposure based on the business requirements.
This policy identifies AWS EC2 instances which are attached to an IAM role with risky permissions and are publicly exposed. EC2 instances having 'iam:PassRole','lambda:CreateFunction', 'lambda:InvokeFunction' permissions can be used to escalate privileges by passing an existing IAM role to a new Lambda function and moving laterally. As a best practice remove the risky permissions from the IAM role attached to EC2 instances. Additionally, review and restrict the public exposure based on the business requirements. Attack Path policies are not available in China and Government regions. |
Azure Anomaly Policies | Prisma Cloud provides the following new policies that detect anomalies using the information in audit logs for your Azure cloud accounts:
These anomaly policies:
You also can specify a role in the anomaly trusted list to suppress the alerts. The specified anomaly policy will not generate alerts for the matching role names added to this trusted list. |
Policy Updates
POLICY UPDATES | DESCRIPTION |
Changes to Network Anomaly Policies | The names of the network anomaly policies are modified to be self explanatory and also make it easier to identify cloud resources involved in the alerts reported by these policies. Additionally, the Resource Name column in the alert details for external network anomaly policies (excluding Port Sweep activity) now displays the internal resource (cloud instance) targeted or generating traffic instead of the public IP address of the source host participating in the suspicious activity.
For more information, see the list of policies that are affected. Impact— Only applies to any new alert generated by an anomaly policy. No impact on existing alerts. |
Policy Updates-RQL | |
GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower | Changes— The policy RQL is updated to match changes introduced in the gcloud-compute-ssl-policies API.Current RQL—
Updated RQL—
Impact— High. Existing alerts will be resolved as Resource_Updated . New alerts will be generated against the policy violations. |
GCP Load Balancer SSL proxy permits SSL policies with weak cipher suites | Changes— The policy RQL is updated to match changes introduced in the gcloud-compute-ssl-policies API.Current RQL—
Updated RQL—
Impact— High. Existing alerts will be resolved as Resource_Updated . New alerts will be generated against the policy violations. |
GCP Load Balancer HTTPS proxy permits SSL policies with weak cipher suites | Changes— The policy RQL is updated to match changes introduced in the gcloud-compute-ssl-policies API.Current RQL—
Updated RQL—
Impact— High. Existing alerts will be resolved as Resource_Updated . New alerts will be generated against the policy violations. |
GCP HTTPS Load balancer SSL Policy not using restrictive profile | Changes— The policy RQL is updated to match changes introduced in the gcloud-compute-ssl-policies API.Current RQL—
Updated RQL—
Impact— High. Existing alerts will be resolved as Resource_Updated . New alerts will be generated against the policy violations. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
CSA Cloud Controls Matrix (CCM) v4.0.6 | Prisma Cloud now supports the CSA Cloud Controls Matrix (CCM) v4.0.6 compliance standard. The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It is a spreadsheet that contains a list of common frameworks and regulations that your organization must follow. Each control maps to a number of industry-accepted security standards, regulations, and frameworks, which means that completing the CCM controls also completes the accompanying standards and regulations. It reduces the need to use multiple frameworks and simplifies cloud security by displaying all common cloud standards in one place. With this support, you can now view this built-in standard and the related policies on Prisma Cloud’s Compliance > Standard page. Additionally, you can generate reports for immediate viewing or download, or you can schedule recurring reports to keep track of this compliance standard over time. |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Google Compute SSL Policies Update | Prisma Cloud now includes a JSON update to increase the visibility and monitoring of gcloud-compute-ssl-policies API resources. Due to this, all the resources will be deleted and then regenerated on the management console.Existing alerts corresponding to these resources will be resolved as Resource_Updated, and new alerts will be generated against the policy violations. Impact— You may notice an increased count for the number of alerts for the following OOTB policies:
However, the alert count will return to the original numbers once the resources for gcloud-compute-ssl-policies start ingesting data again. |
REST API Updates
CHANGE | DESCRIPTION |
Command Center APIs | The following new endpoints are available for the Command Center API:
|
New APIs for Onboarding AWS Cloud ccounts This change was first announced in the Look Ahead that was published with the 22.4.1 release | The following new endpoints are now available for the Cloud Accounts API. These endpoints include the updates to generate External ID in the IAM Role and to enable selection of Security Capabilities and Permissions .
|
Cloud Ingested Logs API | The following new endpoints are available for the Cloud Ingested Logs API:
|
