Integration Status Checks
Prisma Cloud performs periodic checks and background validation of outbound external integrations to identify exceptions or failures in processing notifications. With the exception of Email, PagerDuty, Qualys, and Tenable.io integrations, the status checks now indicate when a change on the integration vendor impacts outbound alert notifications. The status checks display as red—integration failed validations, yellow—one or more templates associated with the integration are invalid, or green—working and all templates are valid. Any state transitions are automatically reflected on the Prisma Cloud administrator console.
Resource Attribution on Azure Updates
Prisma Cloud correlates data available in resource configurations and audit events to you identify who (which user) made changes to specific Azure resources.
In addition to the services that were supported in the last release, resource attribution is now available for events related to the following Azure resources:
Azure Network Watcher
Azure Load Balancer
Azure SQL Database
Azure SQL Server
Azure Storage Account
Azure VPN Connection
Azure Container Registry
Azure Application Gateway
Azure App Service
API Ingestion Updates
Prisma Cloud has added coverage for the API:
Update the JSON for the API aws-sns-get-subscription-attributes
Some fields such as RawMessageDelivery , PendingConfirmation , ConfirmationWasAuthenticated are no longer retrieved for this API.
AWS ECS Task Definition Elevated Privileges Enabled
Checks the security configuration of your task definition for ECS Containers and alerts you to it.
AWS ECS/ ECS Fargate task definition execution IAM Role not found
Generates an alert if a task execution IAM role is not defined in your task definition for pulling container images and publishing container logs to Amazon CloudWatch.
AWS ECS Task Definition Root User Found
Checks if your container definition uses a root user and alerts you to it.
GCP GKE Unsupported Node Version
Checks your GKE master node version and generates an alert if the version running is unsupported.
Non-Corporate Accounts Have Access to Google Cloud Platform (GCP) Resources
The RQL in this customizable policy is updated to match on more than one domain, and the match criteria checks for whether the email address contains or ends in the specified domain(s).
Simplified Cloud Account Onboarding for First-Tme Users
The Cloud Account Onboarding tours are designed to help you onboard your cloud accounts on AWS, Azure, and GCP and simplify the first step for cloud monitoring and governance. The guided experience helps Prisma Cloud administrators with the System Administrator and Cloud Provisioning Administrator roles automate some of the configuration options for quicker onboarding.
HITRUST Compliance Standard for AWS
With the support for the Health Information Trust Alliance (HITRUST) security control framework, Prisma Cloud enables you to audit how you are doing on this healthcare regulatory requirement.
Use the policy checks included in the HITRUST Version 9.2 compliance standard to ensure that your AWS workloads that store, process, transmit, and analyze protected health information are securely handling sensitive data.
Principal ARN Check for Prisma Cloud Monitored AWS Accounts
The _AWSCloudAccount.isRedLockMonitored function is enhanced to check for the Principal ARN in addition to the Account ID specified in the policy trust document and verify whether the AWS Principal ARN belongs to an account that is monitored by Prisma Cloud. The RQL is config where api.name = 'aws-iam-list-roles' AND json.rule = ‘_AWSCloudAccount.isRedLockMonitored(role.assumeRolePolicyDocument.Statement[*].Principal.AWS) is true’
With this enhancement, when you use this RQL in a custom policy, an alert is generated when a cross-account role allows access to an AWS account that belongs to an AWS account—third-party or other AWS accounts you own—that is not monitored by Prisma Cloud.
API Ingestion Updates
Prisma Cloud has added coverage for the API:
GCP load balancer sensitive configuration updates
Detects sensitive configuration updates such as the deletion or modification of a GCP load balancer and SSL policies.
This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced in August 2019.
Flow Logs Ingestion Update
After you enable flow logs, Prisma Cloud will ingest flow log data for the last seven days only. If flow logs become unavailable for any reason such as if you manually disable flow logs, or modify API permissions, or an internal error occurs, when access is restored logs from the preceding seven days only are ingested.
Deletion of GCP Organization and Master Service Account
If you no longer want Prisma Cloud to monitor a GCP organization, or you want to delete a GCP project that you onboarded using a master service account, you can now delete the organization or project on Settings > Cloud Accounts .
Although the service stops ingesting data from the project or organization as soon as you delete it, all the data on your cloud resources is purged only after 24 hours. Therefore, if the deletion was unintentional you can onboard the account back within 24 hours to resume monitoring and retain the history on your cloud resources. The audit logs retain the activity history of the user who deleted the account, the name of the cloud account and when the action was performed.
In addition, when you delete a project on GCP, Prisma Cloud learns about it and automatically deletes the account from the list of monitored accounts on Settings > Cloud Accounts . To track the automatic deletion of the project, an audit log is generated.
RQL Enhancements for Functions
For Config RQL queries, view the results of the _DateTime.function as a column on the Investigate page, instead of locating and verifying the results within the resource JSON.
For example, the query
config where api.name = 'aws-ec2-describe-instances' addcolumn _DateTime.ageInDays(launchTime)
adds a column for LaunchTime and displays the results on the page.
Functions also support auto-suggest when you enter the prefix _ in a json.rule or addcolumn attribute.
Saved Search for Identifying VM-Series Firewalls
Use the new saved search to list VM-Series Firewall instances that are deployed on your GCP, AWS, and Azure environments. You can use this saved search to easily create a policy and generate an alert if you want to ensure that your internet-facing workloads are secured with VM-Series firewalls.
where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcp-compute-disk-list' as Y; filter '$.X.disks[*].source contains $.Y.name and ($.Y.sourceImage contains vmseries-bundle or $.Y.sourceImage contains vmseries-byol)' ; show X;
Azure AKS cluster pool profile count contains less than 3 nodes
Checks if there are fewer than 3 nodes within your AKS cluster pool profile and alerts you to it.
Azure AKS cluster Azure CNI networking not enabled
Checks your AKS cluster for the Container Networking Interface (CNI) plugin and generates an alert if it is not enabled.
Azure AKS cluster monitoring not enabled
Checks if monitoring is enabled for AKS clusters and alerts you if no configuration is found, or the monitoring add-on is disabled.
Azure AKS enable role-based access control (RBAC) not enforced
Checks whether your AKS cluster is RBAC enabled to grant users or groups access to only the resources they need.
Azure ACR HTTPS not enabled for webhook
Checks your Azure container registry webhooks for the use of the HTTPS protocol and alerts you to if it is not enabled.
Azure AKS cluster HTTP application routing enabled
Checks if your AKS cluster has the HTTP application routing add-on that creates publicly accessible DNS names for application endpoints and alerts you if it is enabled.
Config policy GCP HTTPS Load balancer SSL Policy not using restrictive profile
Identifies GCP HTTPS Load balancers that are not using a restrictive profile in SSL Policy to meet stricter compliance requirements.
GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower
Identifies GCP HTTPS Load balancers that are configured to use SSL policy with TLS version 1.1 or lower.
This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on July 25, 2019.
Support for the AWS Hong Kong region
Prisma Cloud can now monitor resources in the AWS Hong Kong region (ap-east-1).
IP Address Modeling for Anomaly Alert Generation
To reduce false positives when detecting unusual user activity, Prisma Cloud has augmented UEBA modeling to incorporate IP address information.
Prisma Cloud relies on a third-party source for IP address to geo-location resolution to detect unusual user activity. Using the IP address to geo-location resolution can sometimes generate false positives in the Unusual User Activity policy when the same IP resolves to different locations at different points in time. With this modeling change, when there is unusual user activity from a previously unseen location for a known IP address, the service no longer generates anomaly alerts.
Microsoft Teams Integration
Create an Office 365 webhook integration on a Microsoft Teams channel and configure Prisma Cloud to send notifications to it. Sending RedLock alerts to a Microsoft Teams channel enables your DevOps and SecOps teams to investigate and remediate security incidents more promptly.
API Ingestion Updates
Prisma Cloud has added coverage for the GCP API service gcloud-compute-global-forwarding-rule
GCP storage bucket is encrypted using default KMS key instead of customer-managed key
Identifies storage buckets that are encrypted with the default Google-managed keys. As a best practice, use Customer-managed keys to encrypt the data in your storage bucket and ensure full control over your data.
GCP load balancer target proxy is configured with default SSL policy instead of custom SSL policy
Identifies load balancer target proxies which are configured with default SSL policy instead of a custom SSL policy. As a best practice, using custom SSL policy to access load balancers gives you better control over SSL/TLS versions and ciphers.
GCP load balancer HTTPS target proxy is not configured with QUIC protocol
Identifies load Balancer HTTPS target proxies which are not configured with QUIC protocol. Enabling the QUIC protocol helps the load balancer target HTTPS proxies to establish connections faster, supports stream-based multiplexing, improved loss recovery, and eliminates head-of-line blocking.
This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on July 11, 2019.
Amazon GuardDuty Findings on IAM Users
To help you to find potential security issues —malicious activity and unauthorized behavior— that pertain to IAM Users who are identified in Amazon GuardDuty findings, you can now specify hostfinding.type = 'AWS GuardDuty IAM' in a Config RQL query.
Azure Network Security Group Rule Actions
To help you audit Network Security Groups (NSGs) directly from the RedLock console, the resource explorer and the network explorer display how Azure NSGs are configured to enforce traffic in your Azure environment.
To display the information on the Azure NSG rule, both the resource explorer and the network explorer, now have a new Action column, which indicates whether the NSG rule is set to Allow or Deny traffic.
API Ingestion Update
Prisma Cloud has improved coverage for the following API service that you can query using RQL:
The API aws-elasticbeanstalk-environment JSON is modified to include the response from the environment resources details in the describeEnvironmentResources field.
The following new policies are available in this release:
AWS EKS cluster control plane assigned to multiple security groups
Checks the number of security groups assigned to your AWS EKS cluster control plane and alerts if more than one security group is attached to the cluster.
AWS EKS cluster using the default VPC
Identifies AWS Kubernetes clusters which are configured with the default VPC instead of a custom VPC.
AWS EKS control plane logging disabled
Checks whether or not Kubernetes control plane logging for audit and diagnostic logs is enabled so that log data on your EKS cluster is directly written to CloudWatch Logs. This policy alerts you if logging is disabled.
AWS EKS cluster security group overly permissive to all traffic
Identifies security group rules that are attached to the cluster network and allow inbound traffic for all protocols from the public internet.
AWS EKS cluster endpoint access publicly enabled
Checks whether your Kubernetes cluster endpoint that enables the API server to communicate with all worker nodes within your cluster is publicly accessible. This policy alerts if you have not restricted public access to the Kubernetes cluster endpoint.
This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on June 22, 2019.
Just-In-Time Provisioning for SSO Users
To successfully access the RedLock service using Single Sign-on (SSO), every user (administrator) requires a local account on Prisma Cloud. With Just-In-Time (JIT) Provisioning, you no longer are required to create the user in advance on Prisma Cloud. After successful authentication with your SSO Identity Provider (IdP), users are now automatically provisioned on Prisma Cloud with the specified role. From Settings SSO , Enable JIT Provisioning and specify the SAML attributes you configured for your users on your IdP.
Coverage for Azure Container Registry Webhooks and Azure App Service Authentication
When you onboard your Azure subscriptions to Prisma Cloud, you can now ingest additional information from the Azure Container Registry webhooks and the Azure App Service to provide more visibility and context.
Create a custom role or modify an existing role to include the following permissions:
Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action— To ingest data from Azure Container Registry webhooks that are triggered when a container image or Helm chart is pushed to a registry, or deleted from it.
To ingest Authentication/Authorization data from Azure App Service that hosts websites and web applications.
This custom role is required in addition to the Reader Role, which is adequate to ingest configuration data from the Azure App Service.
Bypass DNS Resolution for SAML
If you have deployed your IdP on an internal network, and do not need a DNS look up for the URLs defined on the SSO configuration settings, you can now disable it. To disable DNS look ups, clear the Enforce DNS resolution for RedLock Access SAML on Settings > SSO .
New API Ingestion
Prisma Cloud adds coverage for the following new services that you can use in RQL:
API Ingestion Updates
DETAILS ON THE UPDATES
aws-iam-get-policy-version API is modified to lists all IAM users, groups, and roles that the specified managed policy is attached to. With this change, this API now retrieves information about managed policies along with all IAM users, groups, and roles attached to the policies.
The aws-rds-db-cluster-snapshots API now includes a new JSON field
dbclusterSnapshotAttributes that provides information the attributes in an RDS database cluster snapshot.
The aws-kms-get-key-rotation-status API now includes a new JSON field
policies. With this change, this API now retrieves KMS key rotation status along with the list of policies associated with the key.
The aws-ecr-get-repository-policy is updated to include the IAM policy statement, which provides information on the operations performed on the ECR resource. With this change the JSON structure is fully revised.
The aws-sqs-get-queue-attributes is updated to include the policy statement, which provides information on the operations performed on the SQS resource. With this change the JSON structure is fully revised.
This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on June 6, 2019.
CSV Download of Config Data
You can now download details in a CSV format to analyze Config events offline. Enter your RQL query on the Investigate page on the Redlock admin console to download the results as a .zip file.
Tenable Integration for GCP accounts
RedLock service now supports the Tenable integration on Google Cloud Platform.This integration provides additional context around vulnerabilities identified in your GCP workloads to help you prioritize alerts. For example, you can address high severity vulnerabilities on hosts that are internet facing and are receiving malicious traffic ahead of other types of hosts.
CLI Variables for Automated Remediation
When you define a custom policy with auto-remediation, you can now see the variables that are available for use in the CLI commands.
Auto Suggestion for json.rule attribute in Event RQL
To help you easily build Event RQL queries, you can see automatic suggestions for the attribute json.rule when used with the operation attribute. Auto suggest works with the operators = and IN.
Prisma Cloud now ingests the following new Azure services to help build Config queries:
Classification of Microsoft Azure ELBs
Microsoft Azure Load Balancers are now classified as Azure ELB .
AWS Lambda Function is not assigned to access within VPC
Identifies the AWS Lambda functions which do not have access within the VPC.
GCP Project audit logging is not configured properly across all services and all users in a project
Identifies the GCP projects in which cloud audit logging is not configured properly across all services and all users.
This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on May 23, 2019.
RedLock Service in New Regions
Prisma Cloud is now available in the Australia & New Zealand (ANZ) region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace. In addition, Prisma Cloud is also available on AWS GovCloud. You can request a RedLock tenant on AWS GovCloud, when you sign up for the service from the Palo Alto Networks Marketplace.
Operators in Event RQL
You can now use the operators Contains, Does not Contain, Exists, and Does not exist with Event RQL queries.
API Ingestion Update
The API aws-iam-get-policy-version is now updated to fetch unattached policies.
user Attribute Rename in Event RQL
user attribute in Event RQL is renamed to subject to represent both users and instances.
event where role = ’oktaDevReadWriteRole’ and subject = ’firstname.lastname@example.org’
role Attribute in Event RQL
The new Event RQL attribute role" allows you to filter the search results by role.
Event where role = ’OktaDevReadWriteRole’
Support for Strings with Space Separators
You can now use RQL to search for strings that include white space as a separator. This capability helps you find values with space, such as in keys, key value pairs, or security groups. For example, if your key name is test 4081 and it has the value
tag with space , use this query.
config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = "tags[*] size greater than 0 and tags[?(@.key=='test 4081')].value contains \"tag with space\""
Network Alert Workflow Update
Prisma Cloud now automatically reopens any alerts for a Network policy violation that you had manually dismissed, in the event that the same policy is violated again.
GCP Kubernetes cluster size contains less than 3 nodes
Checks the size of your cluster pools and alerts if there are fewer than 3 nodes in a pool.
GCP Kubernetes cluster Istio Config not enabled
Checks your cluster for the Istio add-on feature and alerts if it is not enabled.
GCP Kubernetes cluster not in redundant zones
Alerts if your cluster is not located in at least 3 zones.
GCP Kubernetes cluster Application-layer Secrets not encrypted
Checks your cluster for the Application-layer Secrets Encryption security feature and alerts if it is not enabled.
GCP Kubernetes cluster intra-node visibility disabled
Checks your cluster's intra-node visibility feature and generates an alert if it's disabled.
AWS SSM Parameter is not encrypted
Identifies the AWS SSM Parameters which are not encrypted.
AWS Cloudfront Distribution with S3 have Origin Access set to disabled
Identifies the AWS CloudFront distributions which are utilizing S3 bucket and have Origin Access Disabled.
AWS CloudFront Distributions with Field-Level Encryption not enabled
Identifies CloudFront distributions for which field-level encryption is not enabled.
This information was adapted from TechDocs. For more information about the release notes or to view other release notes, please visit Features Introduced on May 9, 2019 .
To continue providing a consistent and integrated experience across all our products, we’ve released a unified UX for Prisma ™ Cloud:
The URLs to access Prisma Cloud have changed: While we recommend you update your URLs, redirects are in place to minimize interruption of ongoing workflows and automation scripts.
Previous Access URL
Updated Access URL
Previous API URL
Updated API URL
Change in authentication for non-SSO users We’ve integrated with the Palo Alto Networks login service, so if you’re currently not using a third-party identity provider for single sign-on (SSO), you only need one set of credentials to access all your products, services, support, and collateral.
This will not affect anyone currently using third-party SSO to access the Prisma Cloud application. However, this change does affect non-SSO users who access it directly with a username and password. We’ve exchanged local credential access as well as the "forgot" and "change password" processes for a more robust login flow. Non-SSO users will now need to log in via the Palo Alto Networks login page:
The Prisma Cloud application will redirect you to the Palo Alto Networks login page.
After authentication, all single-tenant users will be redirected to the application.
If you have multiple tenants within the same region, you’ll be redirected to the Palo Alto Networks Hub, which will let you choose which tenant to log in to
If you haven’t set up an account yet, you’ll be able to do so by clicking “Forgot Password?” on the new sign-in page.
If you’re currently using username and password for automation purposes via our APIs, please refer to the section below on "API Access Keys."
The Palo Alto Networks Hub
The hub shows all the products you’re authorized to use in an easy-to-navigate dashboard to give you better visibility of your overall security posture.
API Access Keys We have implemented API access keys, providing system administrators the ability to grant or revoke users’ access key permissions to communicate with our APIs.
Existing username and password-based automations will not be immediately disabled. Your automations will continue to work; however, we strongly recommend you adopt new access keys for more secure access.
Our intention is to sunset local passwords altogether from Prisma Cloud in a few months. We’ll send reminders to those using username and password-based automation to switch over to access keys before deprecating local passwords to ensure your business remains uninterrupted.
For additional information, please watch:
Prisma Cloud: Product Update and Demo