Prisma Cloud Articles

New Features FEATURE DESCRIPTION Integration Status Checks Prisma Cloud performs periodic checks and background validation of outbound external integrations to identify exceptions or failures in processing notifications. With the exception of Email, PagerDuty, Qualys, and Tenable.io integrations, the status checks now indicate when a change on the integration vendor impacts outbound alert notifications. The status checks display as red—integration failed validations, yellow—one or more templates associated with the integration are invalid, or green—working and all templates are valid. Any state transitions are automatically reflected on the Prisma Cloud administrator console. Resource Attribution on Azure Updates Prisma Cloud correlates data available in resource configurations and audit events to you identify who (which user) made changes to specific Azure resources. In addition to the services that were supported in the last release, resource attribution is now available for events related to the following Azure resources: Azure Network Watcher Azure Load Balancer Azure SQL Database Azure SQL Server Azure Storage Account Azure VPN Connection Azure Container Registry Azure Application Gateway Azure Disk Azure Vault Azure App Service API Ingestion Updates Prisma Cloud has added coverage for the API: azure-cosmos-db azure-network-route-table Update the JSON for the API   aws-sns-get-subscription-attributes Some fields such as   RawMessageDelivery ,   PendingConfirmation ,   ConfirmationWasAuthenticated   are no longer retrieved for this API.   Policy Updates POLICY DESCRIPTION AWS ECS Task Definition Elevated Privileges Enabled Checks the security configuration of your task definition for ECS Containers and alerts you to it. AWS ECS/ ECS Fargate task definition execution IAM Role not found Generates an alert if a task execution IAM role is not defined in your task definition for pulling container images and publishing container logs to Amazon CloudWatch. AWS ECS Task Definition Root User Found Checks if your container definition uses a root user and alerts you to it. GCP GKE Unsupported Node Version Checks your GKE master node version and generates an alert if the version running is unsupported. Non-Corporate Accounts Have Access to Google Cloud Platform (GCP) Resources The RQL in this customizable policy is updated to match on more than one domain, and the match criteria checks for whether the email address contains or ends in the specified domain(s).
View full article
jeisenhart Monday
78 Views
0 Replies
New Features FEATURE DESCRIPTION Simplified Cloud Account Onboarding for First-Tme Users The   Cloud Account Onboarding   tours are designed to help you onboard your cloud accounts on AWS, Azure, and GCP and simplify the first step for cloud monitoring and governance. The guided experience helps Prisma Cloud administrators with the System Administrator and Cloud Provisioning Administrator roles automate some of the configuration options for quicker onboarding. HITRUST Compliance Standard for AWS With the support for the Health Information Trust Alliance (HITRUST) security control framework, Prisma Cloud enables you to audit how you are doing on this healthcare regulatory requirement. Use the policy checks included in the HITRUST Version 9.2 compliance standard to ensure that your AWS workloads that store, process, transmit, and analyze protected health information are securely handling sensitive data. Principal ARN Check for Prisma Cloud Monitored AWS Accounts The   _AWSCloudAccount.isRedLockMonitored  function is enhanced to check for the Principal ARN in addition to the Account ID specified in the policy trust document and verify whether the AWS Principal ARN belongs to an account that is monitored by Prisma Cloud. The RQL is   config where api.name = 'aws-iam-list-roles' AND json.rule = ‘_AWSCloudAccount.isRedLockMonitored(role.assumeRolePolicyDocument.Statement[*].Principal.AWS) is true’ With this enhancement, when you use this RQL in a custom policy, an alert is generated when a cross-account role allows access to an AWS account that belongs to an AWS account—third-party or other AWS accounts you own—that is not monitored by Prisma Cloud. API Ingestion Updates Prisma Cloud has added coverage for the API: aws-iam-saml-provider   Policy Updates POLICY DESCRIPTION GCP load balancer sensitive configuration updates Detects sensitive configuration updates such as the deletion or modification of a GCP load balancer and SSL policies.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced in August 2019.
View full article
jeisenhart 3 weeks ago
113 Views
0 Replies
New Features FEATURE DESCRIPTION Flow Logs Ingestion Update After you enable flow logs, Prisma Cloud will ingest flow log data for the last seven days only. If flow logs become unavailable for any reason such as if you manually disable flow logs, or modify API permissions, or an internal error occurs, when access is restored logs from the preceding seven days only are ingested. Deletion of GCP Organization and Master Service Account If you no longer want Prisma Cloud to   monitor a GCP organization, or you want to delete a GCP project that you onboarded using a master service account, you can now delete the organization or project on   Settings >  Cloud Accounts .     Although the service stops ingesting data from the project or organization as soon as you delete it, all the data on your cloud resources is purged only after 24 hours. Therefore, if the deletion was unintentional you can onboard the account back within 24 hours to resume monitoring and retain the history on your cloud resources. The audit logs retain the activity history of the user who deleted the account, the name of the cloud account and when the action was performed. In addition, when you delete a project on GCP, Prisma Cloud learns about it and automatically deletes the account from the list of monitored accounts on   Settings >  Cloud Accounts . To track the automatic deletion of the project, an audit log is generated. RQL Enhancements for Functions For Config RQL queries, view the results of the _DateTime.function as a column on the Investigate page, instead of locating and verifying the results within the resource JSON. For example, the query config where api.name = 'aws-ec2-describe-instances' addcolumn _DateTime.ageInDays(launchTime) adds a column for   LaunchTime   and displays the results on the page.     Functions   also support auto-suggest when you enter the prefix   _   in a json.rule or addcolumn attribute.     and   Saved Search for Identifying VM-Series Firewalls Use the new saved search to list VM-Series Firewall instances that are deployed on your GCP, AWS, and Azure environments. You can use this saved search to easily create a policy and generate an alert if you want to ensure that your internet-facing workloads are secured with VM-Series firewalls. where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcp-compute-disk-list' as Y; filter '$.X.disks[*].source contains $.Y.name and ($.Y.sourceImage contains vmseries-bundle or $.Y.sourceImage contains vmseries-byol)' ; show X;   Policy Updates POLICY DESCRIPTION Azure AKS cluster pool profile count contains less than 3 nodes Checks if there are fewer than 3 nodes within your AKS cluster pool profile and alerts you to it. Azure AKS cluster Azure CNI networking not enabled Checks your AKS cluster for the Container Networking Interface (CNI) plugin and generates an alert if it is not enabled. Azure AKS cluster monitoring not enabled Checks if monitoring is enabled for AKS clusters and alerts you if no configuration is found, or the monitoring add-on is disabled. Azure AKS enable role-based access control (RBAC) not enforced Checks whether your AKS cluster is RBAC enabled to grant users or groups access to only the resources they need. Azure ACR HTTPS not enabled for webhook Checks your Azure container registry webhooks for the use of the HTTPS protocol and alerts you to if it is not enabled. Azure AKS cluster HTTP application routing enabled Checks if your AKS cluster has the HTTP application routing add-on that creates publicly accessible DNS names for application endpoints and alerts you if it is enabled. Config policy GCP HTTPS Load balancer SSL Policy not using restrictive profile Identifies GCP HTTPS Load balancers that are not using a restrictive profile in SSL Policy to meet stricter compliance requirements. GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower Identifies GCP HTTPS Load balancers that are configured to use SSL policy with TLS version 1.1 or lower.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on July 25, 2019.
View full article
3 weeks ago
113 Views
0 Replies
New Features FEATURE DESCRIPTION Support for the AWS Hong Kong region Prisma Cloud can now monitor resources in the AWS Hong Kong region (ap-east-1). IP Address Modeling for Anomaly Alert Generation To reduce false positives when detecting unusual user activity, Prisma Cloud has augmented UEBA modeling to incorporate IP address information. Prisma Cloud relies on a third-party source for IP address to geo-location resolution to detect unusual user activity. Using the IP address to geo-location resolution can sometimes generate false positives in the Unusual User Activity policy when the same IP resolves to different locations at different points in time. With this modeling change, when there is unusual user activity from a previously unseen location for a known IP address, the service no longer generates   anomaly alerts. Microsoft Teams Integration Create an Office 365 webhook integration on a Microsoft Teams channel and configure Prisma Cloud to send notifications to it. Sending   RedLock alerts to a Microsoft Teams channel   enables your DevOps and SecOps teams to investigate and remediate security incidents more promptly. API Ingestion Updates Prisma Cloud has added coverage for the GCP API service gcloud-compute-global-forwarding-rule   Policy Updates POLICY NAME DESCRIPTION GCP storage bucket is encrypted using default KMS key instead of customer-managed key Identifies storage buckets that are encrypted with the default Google-managed keys. As a best practice, use Customer-managed keys to encrypt the data in your storage bucket and ensure full control over your data. GCP load balancer target proxy is configured with default SSL policy instead of custom SSL policy Identifies load balancer target proxies which are configured with default SSL policy instead of a custom SSL policy. As a best practice, using custom SSL policy to access load balancers gives you better control over SSL/TLS versions and ciphers. GCP load balancer HTTPS target proxy is not configured with QUIC protocol Identifies load Balancer HTTPS target proxies which are not configured with QUIC protocol. Enabling the QUIC protocol helps the load balancer target HTTPS proxies to establish connections faster, supports stream-based multiplexing, improved loss recovery, and eliminates head-of-line blocking.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on July 11, 2019.
View full article
3 weeks ago
109 Views
0 Replies
New Features FEATURE DESCRIPTION Amazon GuardDuty Findings on IAM Users To help you to find potential security issues —malicious activity and unauthorized behavior— that pertain to IAM Users who are identified in Amazon GuardDuty findings, you can now specify hostfinding.type = 'AWS GuardDuty IAM' in a   Config RQL query. Azure Network Security Group Rule Actions To help you audit Network Security Groups (NSGs) directly from the RedLock console, the resource explorer and the network explorer display how Azure NSGs are configured to enforce traffic in your Azure environment. To display the information on the Azure NSG rule, both the resource explorer and the network explorer, now have a new   Action   column, which indicates whether the NSG rule is set to   Allow   or   Deny  traffic. API Ingestion Update Prisma Cloud has improved coverage for the following API service that you can query using RQL: The API aws-elasticbeanstalk-environment JSON is modified to include the response from the environment resources details in the describeEnvironmentResources field.   Policy Updates The following new policies are available in this release: POLICY NAME DESCRIPTION AWS EKS cluster control plane assigned to multiple security groups Checks the number of security groups assigned to your AWS EKS cluster control plane and alerts if more than one security group is attached to the cluster. AWS EKS cluster using the default VPC Identifies AWS Kubernetes clusters which are configured with the default VPC instead of a custom VPC. AWS EKS control plane logging disabled Checks whether or not Kubernetes control plane logging for audit and diagnostic logs is enabled so that log data on your EKS cluster is directly written to CloudWatch Logs. This policy alerts you if logging is disabled. AWS EKS cluster security group overly permissive to all traffic Identifies security group rules that are attached to the cluster network and allow inbound traffic for all protocols from the public internet. AWS EKS cluster endpoint access publicly enabled Checks whether your Kubernetes cluster endpoint that enables the API server to communicate with all worker nodes within your cluster is publicly accessible. This policy alerts if you have not restricted public access to the Kubernetes cluster endpoint.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on June 22, 2019.
View full article
3 weeks ago
99 Views
0 Replies
New Features FEATURE DESCRIPTION Just-In-Time Provisioning for SSO Users To successfully access the   RedLock service using Single Sign-on (SSO), every user (administrator) requires a local account on Prisma Cloud. With Just-In-Time (JIT) Provisioning, you no longer are required to create the user in advance on Prisma Cloud. After successful authentication with your SSO Identity Provider (IdP), users are now automatically provisioned on Prisma Cloud with the specified role. From   Settings  SSO , Enable JIT Provisioning and specify the SAML attributes you configured for your users on your IdP. Coverage for Azure Container Registry Webhooks and Azure App Service Authentication When you   onboard your Azure subscriptions   to Prisma Cloud, you can now ingest additional information from the Azure Container Registry webhooks and the Azure App Service to provide more visibility and context. Create a   custom role   or modify an existing role to include the following permissions:   Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action— To ingest data from Azure Container Registry webhooks that are triggered when a container image or Helm chart is pushed to a registry, or deleted from it. Microsoft.Web/sites/config/list/action— To ingest Authentication/Authorization data from Azure App Service that hosts websites and web applications. This custom role is required in addition to the Reader Role, which is adequate to ingest configuration data from the Azure App Service. Bypass DNS Resolution for SAML If you have deployed your IdP on an internal network, and do not need a DNS look up for the URLs defined on the SSO configuration settings, you can now disable it. To disable DNS look ups, clear the   Enforce DNS resolution for RedLock Access SAML  on  Settings >  SSO . New API Ingestion Prisma Cloud adds coverage for the following new services that you can use in RQL:   GCP—gcloud-compute-target-https-proxies AWS—aws-rds-db-clusters       API Ingestion Updates API DETAILS ON THE UPDATES aws-iam-get-policy-version aws-iam-get-policy-version  API is modified to lists all IAM users, groups, and roles that the specified managed policy is attached to. With this change, this API now retrieves information about managed policies along with all IAM users, groups, and roles attached to the policies. aws-rds-db-cluster-snapshots The   aws-rds-db-cluster-snapshots   API now includes a new JSON field   dbclusterSnapshotAttributes  that provides information the attributes in an RDS database cluster snapshot. aws-kms-get-key-rotation-status The   aws-kms-get-key-rotation-status API now includes a new JSON field   policies. With this change, this API now retrieves KMS key rotation status along with the list of policies associated with the key. aws-ecr-get-repository-policy The aws-ecr-get-repository-policy   is updated to include the IAM policy statement, which provides information on the operations performed on the ECR resource. With this change the JSON structure is fully revised. aws-sqs-get-queue-attributes The   aws-sqs-get-queue-attributes   is updated to include the policy statement, which provides information on the operations performed on the SQS resource. With this change the JSON structure is fully revised.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on June 6, 2019.
View full article
3 weeks ago
94 Views
0 Replies
New Features FEATURE DESCRIPTION CSV Download of Config Data You can now download details in a CSV format to analyze Config events offline. Enter your RQL query on the Investigate page on the Redlock admin console to download the results as a .zip file. Tenable Integration for GCP accounts RedLock service now supports the   Tenable integration on Google Cloud Platform.This integration provides additional context around vulnerabilities identified in your GCP workloads to help you prioritize alerts. For example, you can address high severity vulnerabilities on hosts that are internet facing and are receiving malicious traffic ahead of other types of hosts. CLI Variables for Automated Remediation When you define a   custom policy   with auto-remediation, you can now see the variables that are available for use in the CLI commands. Auto Suggestion for   json.rule   attribute in Event RQL To help you easily build   Event RQL   queries, you can see automatic suggestions for the attribute   json.rule   when used with the   operation attribute. Auto suggest works with the operators   =  and   IN.   API Ingestion Prisma Cloud now ingests the following new   Azure services   to help build Config queries:   azure-app-service azure-kubernetes-cluster   Classification of Microsoft Azure ELBs Microsoft Azure Load Balancers are now classified as   Azure ELB .   Policy Updates POLICY DESCRIPTION AWS Lambda Function is not assigned to access within VPC Identifies the AWS Lambda functions which do not have access within the VPC. GCP Project audit logging is not configured properly across all services and all users in a project Identifies the GCP projects in which cloud audit logging is not configured properly across all services and all users.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on May 23, 2019.
View full article
3 weeks ago
94 Views
0 Replies
New Features FEATURE DESCRIPTION RedLock Service in New Regions Prisma Cloud is now available in the Australia & New Zealand (ANZ) region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace. In addition, Prisma Cloud is also available on AWS GovCloud. You can request a RedLock tenant on AWS GovCloud, when you sign up for the service from the Palo Alto Networks Marketplace. Operators in Event RQL You can now use the operators  Contains, Does not Contain, Exists, and   Does not exist with Event RQL queries. API Ingestion Update The   API aws-iam-get-policy-version   is now updated to fetch unattached policies. user   Attribute Rename in Event RQL user   attribute in Event RQL is renamed to  subject   to represent both users and instances. event where role = ’oktaDevReadWriteRole’ and subject = ’johnjames@paloaltonetworks.com’ role   Attribute in Event RQL The new   Event RQL attribute role"   allows you to filter the search results by role. Event where role = ’OktaDevReadWriteRole’ Support for Strings with Space Separators You can now use RQL to search for strings that include white space as a separator. This capability helps you find values with space, such as in keys, key value pairs, or security groups. For example, if your key name is   test 4081 and it has the value  tag with space , use this query. config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = "tags[*] size greater than 0 and tags[?(@.key=='test 4081')].value contains \"tag with space\"" Network Alert Workflow Update Prisma Cloud now automatically reopens any alerts for a Network policy violation that you had   manually dismissed, in the event that the same policy is violated again.   Policy Updates POLICY DESCRIPTION GCP Kubernetes cluster size contains less than 3 nodes Checks the size of your cluster pools and alerts if there are fewer than 3 nodes in a pool. GCP Kubernetes cluster Istio Config not enabled Checks your cluster for the Istio add-on feature and alerts if it is not enabled. GCP Kubernetes cluster not in redundant zones Alerts if your cluster is not located in at least 3 zones. GCP Kubernetes cluster Application-layer Secrets not encrypted Checks your cluster for the Application-layer Secrets Encryption security feature and alerts if it is not enabled. GCP Kubernetes cluster intra-node visibility disabled Checks your cluster's intra-node visibility feature and generates an alert if it's disabled. AWS SSM Parameter is not encrypted Identifies the AWS SSM Parameters which are not encrypted. AWS Cloudfront Distribution with S3 have Origin Access set to disabled Identifies the AWS CloudFront distributions which are utilizing S3 bucket and have Origin Access Disabled. AWS CloudFront Distributions with Field-Level Encryption not enabled Identifies CloudFront distributions for which field-level encryption is not enabled.   This information was adapted from TechDocs. For more information about the release notes or to view other release notes, please visit Features Introduced on May 9, 2019 .    
View full article
3 weeks ago
87 Views
0 Replies
To continue providing a consistent and integrated experience across all our products, we’ve released a unified UX for Prisma ™  Cloud:   The URLs to access Prisma Cloud have changed: While we recommend you update your URLs, redirects are in place to minimize interruption of ongoing workflows and automation scripts. Previous Access URL Updated Access URL app.redlock.io app.prismacloud.io app2.redlock.io app2.prismacloud.io app3.redlock.io app3.prismacloud.io app.anz.redlock.io app.anz.prismacloud.io app.eu.redlock.io app.eu.prismacloud.io app.gov.redlock.io app.gov.prismacloud.io Previous API URL Updated API URL api.redlock.io api.prismacloud.io api2.redlock.io api2.prismacloud.io api3.redlock.io api3.prismacloud.io api.anz.redlock.io api.anz.prismacloud.io api.eu.redlock.io api.eu.prismacloud.io api.gov.redlock.io api.gov.prismacloud.io   Change in authentication for non-SSO users We’ve integrated with the Palo Alto Networks login service, so if you’re currently not using a third-party identity provider for single sign-on (SSO), you only need one set of credentials to access all your products, services, support, and collateral. This   will not   affect anyone currently using third-party SSO to access the Prisma Cloud application. However,   this change does affect non-SSO users   who access it directly with a username and password. We’ve exchanged local credential access as well as the "forgot" and "change password" processes for a more robust login flow. Non-SSO users will now need to log in via the Palo Alto Networks login page: The Prisma Cloud application will redirect you to the Palo Alto Networks login page. After authentication, all single-tenant users will be redirected to the application. If you have multiple tenants within the same region, you’ll be redirected to the Palo Alto Networks Hub, which will let you choose which tenant to log in to If you haven’t set up an account yet, you’ll be able to do so by clicking “Forgot Password?” on the new sign-in page.   If you’re currently using username and password for automation purposes via our APIs, please refer to the section below on "API Access Keys."    The Palo Alto Networks Hub The hub shows all the products you’re authorized to use in an easy-to-navigate dashboard to give you better visibility of your overall security posture. API Access Keys We have implemented API access keys, providing system administrators the ability to grant or revoke users’ access key permissions to communicate with our APIs. Existing username and password-based automations will not be immediately disabled. Your automations will continue to work; however, we strongly recommend you adopt new access keys for more secure access. Our intention is to sunset local passwords altogether from Prisma Cloud in a few months. We’ll send reminders to those using username and password-based automation to switch over to access keys before deprecating local passwords to ensure your business remains uninterrupted. For additional information, please watch:  Prisma Cloud: Product Update and Demo
View full article
jeisenhart ‎08-13-2019 10:30 AM
205 Views
0 Replies
Ask Questions Get Answers Join the Live Community
Top Contributors