Prisma Cloud Release Notes For January 16, 2020

Printer Friendly Page

Features Introduced on January 16, 2020

 

 

New Features

FEATURE DESCRIPTION
(New Look) Asset Inventory

The Inventory provides a summary of the total number of resources discovered across your cloud deployments and the number of resources that are passing or failing policy checks.

To add visual appeal, you also have an asset trend chart, an asset classification bar graph, and a table with details (pass or fail) and alerts by severity.

Prisma Cloud Asset InventoryPrisma Cloud Asset Inventory

To help you drill into the details, the inline links in the table take you to the Asset Explorer for Total resources and Pass resources. The resources that failed policy checks are grouped as Low, Medium and High severity and these links take you to the Alerts Overview where you can review the details for each policy violation and the number of alerts that were generated against each policy.

Scheduled Compliance Reports

Enables you to set up one-time or recurring reports to assess the security status of your cloud resources against the compliance standards that matter most to you and to receive the reports in your email inbox.

The scheduled reports are also saved on Prisma™ Cloud so that you can download a report on demand. Additionally, the data in each report is available as a historical trend chart on the Prisma Cloud interface, which helps you view your overall compliance posture during a specific period of time.

GCP Flow Log Compression using the Google Cloud Dataflow Service

To address the lack of native log compression on Google Cloud Platform (GCP) and mitigate the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure, you can now automate flow log compression using the Google Cloud Dataflow service. Whether you are monitoring your GCP project or organization, Prisma Cloud can automate flow log compression and save the compressed logs to the same storage bucket as your VPC flow logs. These compressed logs are then sent to the Prisma Cloud infrastructure for monitoring the network activity of your cloud resources.

For flowlog compression, you need to enable the Google Cloud Dataflow APIs and provide additional permissions that enable Prisma Cloud to make API calls and save the compressed logs to your Google Cloud Storage bucket.
Prisma Cloud add GCP OrganizationPrisma Cloud add GCP Organization
API Ingestion Update

Azure

  • Azure Data Factory: azure-data-factory-v1 and azure-data-factory-v2
  • Azure Data Bricks: azure-databricks-workspace

 

GCP

  • gcloud-projects-iam-role
  • gcloud-organization-iam-role; to ingest data relating to this role, the following permission is required:
    roles/iam.organizationRoleViewer
  • gcloud-bigquery-dataset-list is updated to include encryption configuration in the JSON metadata. This update enables you to detect unencrypted BigQuery tables.

 

AWS

  • AWS API Gateway: aws-apigateway-domain-name
  • AWS API Gateway: aws-apigateway-base-path-mapping
  • AWS CloudWatch: aws-cloudwatch-log-group
More Policies for GDPR Compliance

Prisma Cloud now includes GDPR support on Azure and includes more policies to extend coverage for GDPR compliance on GCP.

Prisma Cloud GDRP on all 3 CloudsPrisma Cloud GDRP on all 3 Clouds
Support for CIS v1.1.0 on GCP and CIS v1.2.0 on AWS

The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in v1.1.0 on GCP and v1.2.0 on AWS.

Prisma Cloud, CIS, GCP, and AWSPrisma Cloud, CIS, GCP, and AWS
California Consumer Privacy Act of 2018

Prisma Cloud now supports the California Consumer Privacy Act, which is a state statute intended to enhance privacy rights and consumer protection for residents of California (United States).

Prisma Cloud CCPAPrisma Cloud CCPA
Saved search addition for Azure VMs The saved search Azure VM has unapproved extensions installed helps you to determine whether your deployment includes VMs with unapproved extensions. You can edit the is not member of attribute in the query to specify the list of extensions that are approved for use in your organization.

 

 

Policy Updates and New Policies

POLICY DESCRIPTION
Permission Updates for AWS CFTs The permission in the AWS read-only and read-write CloudFormation Templates (CFTs) for AWS public cloud and AWS GovCloud are updated to include ec2:describeRegions. With this update, Prisma Cloud can get data on the AWS cloud accounts for all enabled regions.
Remediation CLI for Existing policies The following policies are now designated as Remediable on the Prisma Cloud administrative console:
  • GCP VPC Flow logs for the subnet is set to Off
  • Azure PostgreSQL database with SSL connection disabled
  • Azure PostgreSQL database with log_checkpoints parameter disabled
  • Azure PostgreSQL database with log_connections parameter is disabled
  • Azure PostgreSQL database with log_disconnections parameter disabled
  • Azure PostgreSQL database with log_duration parameter disabled
  • Azure PostgreSQL database with connection throttling parameter is disabled
  • Azure PostgreSQL database log retention days is less than 3 days
Azure Storage account container storing activity logs is publicly accessible Identifies storage account containers that allow public access to activity log content. This is a risk because it can aid an adversary in identifying weaknesses in the account configuration.
Azure disk is unattached and not encrypted Identifies disks which are unattached and not encrypted. Even if a disk is not attached to any VM, there is a risk where a compromised user account with administrative access to VM service can mount and attach these data disks, which can result in disclosure or tampering of sensitive information.
Azure SQL server send alerts to field value is misconfigured Identifies SQL servers that are not properly configured to send alerts to an email address. Having a valid email address for threat detection alerts enables you to receive alerts when any anomalous activities are detected on your SQL servers.
Azure Data disk is not encrypted Identifies data disks which are not encrypted. Encrypt data disks (non-boot volume) to protect the volume from unwarranted reads without a key.
AWS support access policy is not associated with a role Identifies IAM policies with support role access that are not attached to any role. An IAM role with support access policy enables you to ensure that users in your account can securely control access to AWS services and resources.

 

For more information, please review the new features in the Prisma Cloud January 16, 2020 Release Notes in TechDocs.

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
4 of 4
Last update:
2 weeks ago
Updated by:
 
Contributors