Prisma Cloud Release Notes For January 31, 2020

Printer Friendly Page

Features Introduced on January 31, 2020

 

 

New Features

FEATURE DESCRIPTION
Coverage for the Personal Information Protection and Electronics Document Act Standard Prisma Cloud adds support for the Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian federal privacy law that protects the rights and privacy of consumers. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. The coverage for this compliance standard is available across AWS, Azure, and GCP.
Notification Template Updates and Event Management Support for ServiceNow

Prisma Cloud now adds support for the Event Management module, the default reporting table on ServiceNow. 

ServiceNow Event Incidents AlertsServiceNow Event Incidents Alerts

 

Along with this enhancement, the ServiceNow integration includes the following usability improvements:

  • New notification template hub where you can select the ServiceNow template, instead of a generic template.
  • Ability to configure custom Alert Notification mappings depending on the alert status—Open, Dismissed, or Resolved.
  • Validation that the set up is working with the push of a button, so you can send a test notification as soon as you configure a notification template.
More Policies for NIST CSF Compliance

Prisma Cloud now has increased policy coverage for the NIST Cyber Security Framework v1.1 on Azure and GCP to bring the count to over 30 policies on each of these cloud platforms.

Prisma Cloud NIST CSF PoliciesPrisma Cloud NIST CSF Policies

Set Function in RQL to Compare or Combine Lists and Find a Value

The _Set function enables you to compare or combine the values in lists (on the Left Hand Side and Right Hand Side) using the properties of union or intersection, and identify whether a specific value or comma separated list of values are included within that result set.

 

The methods supported are _Set.intersection and _Set.union, and you can use the boolean operator intersects to verify whether the values you want to look for are included in the result, or if the result set contains the specified value(s).

 

For example, to detect Internet exposed instances with a public IP address and firewall rule with 0.0.0.0/0 and destination has a specific target tag:

 

config where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains 0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and $.Y.disabled contains false'; show X;

RQL Function to find a specific address or subnet within a CIDR

In an RQL Config query, you can now use the _IPAddress.inCIDRRange to find whether a specific IPv4 or IPv6 address or subnet is a part of a specific CIDR block or supernetwork.

 

For example:

config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[].ipv4Ranges[].cidrIp,106.51.77.60/24) is true'

or

config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true’

Auto remediation on GCP Storage Buckets with gsutil

If you would like to enable auto remediation on all GCP Storage buckets, you can use gsutil from the command line. Support for gsutil allows you to limit excessive permissions for specific sets of IAM users or to restrict buckets from being open to the internet.

 

The gsutil command is supported only for GCP Storage policies with API name gcloud-storage-buckets-list along with gcloud. For example:

gcloud iam --project=${account} list-grantable-roles;gsutil versioning set off gs://${resourceName};

Alert Notification Emails with Attachments

You can now send alerts instantly or schedule them as recurring batched jobs to any email address, and not only to Prisma Cloud administrators. The email recipients receive a complete list of all open alerts, as scheduled.

In the email, you can opt to include the remediation information for the policies that triggered the alerts, attach the alert details as a CSV file, or as a compressed zip file. An email can have up to 10 attachments with 9 MB total size limit. The uncompressed CSV file can have 900 rows per attachment, while the compressed zip file limit is 95000 rows per attachment.

Prisma Cloud Alerts with CSVPrisma Cloud Alerts with CSV
API Ingestion Update

Azure

azure-sql-server-list API is modified to ingest JSON metadata on the server encryption protector type such as ServiceManaged or AzureKeyVault.

 

AWS

Some of the new APIs require additional permissions. To ingest the resources that require these permissions, you must update the CFT.

 

  • Amazon EC2: aws-ec2-key-pair
  • AWS API Gateway: aws-apigateway-method
  • Amazon Elastic Container Service: aws-ecs-service
  • Amazon Elastic Container Registry (ECR):aws-ecr-image
    To ingest the this API, you must enable additional permissions for
    ecr:DescribeImages
  • Amazon Elastic Container Registry (ECR): aws-ecr-get-repository-policy
  • AWS Resource Access Manager (RAM):
  • aws-ram-principal
  • aws ram list-resources
  • aws-ram-resource
  • aws-ram-resource-share
    To ingest the resource share API, you must enable additional permissions for
    ram:GetResourceShares
  • AWS Web Application Firewall (WAF): aws-waf-web-acl-resources
    To ingest this API, you must enable additional permissions for
    wafv2:ListResourcesForWebACL
    wafv2:ListWebACLs
  • AWS Route 53: aws-route53-domain
    To ingest this API, you must enable additional permissions for
    route53domains:ListDomains
    route53domains:ListTagsForDomain
  • AWS Glue: aws-glue-security-configuration
    To ingest this API, you must enable additional permissions for
    glue:GetSecurityConfigurations
  • AWS Lambda: aws-lambda-list-functions, is modified to ingest the resource policy associated with the Lambda function.
    To ingest the information on Lambda policy, you must enable additional permissions for
    lambda:GetPolicy
Deprecated APIs

GCP

Prisma Cloud no longer ingests the following APIs:

  • gcloud-cloud-spanner-instance-list
  • gcloud_bigtable-instance-list
Saved Search Addition for Azure VMs

Azure VM endpoint protection extension is not installed helps you identify VMs that do not have endpoint protection enabled. You can edit the

json.rule = Extensions.*.virtualMachineExtensionType is empty

OR

Extensions.*.virtualMachineExtensionType is not member of

attribute in the RQL to add the endpoint protection extensions which are approved by your organization.

 

 

Policy Updates and New Policies

POLICY DESCRIPTION
Azure Storage Account Policies updates to RQL

The RQL associated with the following policies that detect Azure Storage Account analytics have been revised to exclude Azure Premium Storage:

  • Azure storage account logging for tables is disabled
  • Azure storage account logging for queues is disabled
  • Azure storage account logging for blobs is disabled
New Azure Policies for Activity Logs

The following new policies are added to identify changes in activity alert logs, which you can use to detect suspicious activity more easily.

  • Azure Activity log alert for Update security policy does not exist
  • Ensure Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Ensure Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Ensure Activity Log Alert exists for Delete Security Solution
  • Ensure Activity Log Alert exists for Create or Update Security Solution
  • Ensure Activity Log Alert exists for Delete Network Security Group Rule
  • Ensure Activity Log Alert exists for Create or Update Network Security Group Rule
  • Ensure Activity Log Alert exists for Delete Network Security Group
  • Ensure Activity Log Alert exists for Create or Update Network Security Group
  • Activity Log Alert for Create Policy Assignment

 

For more information, please review the new features in the Prisma Cloud January 31, 2020 Release Notes in TechDocs.

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
7 of 7
Last update:
Thursday
Updated by:
 
Contributors