Prisma Cloud Updates December 2019

Community Team Member

Prisma Cloud December 2019 UpdatesPrisma Cloud December 2019 Updates

 

Palo Alto Networks reveals new Prisma Cloud updates for December 2019. Review the new features in Prisma Cloud and the new policies available to you to help keep your cloud secure from threats. Get answers in LIVEcommunity.

 

2019 has been a very impressive year for Prisma Cloud with a lot of updates every month. Now, in December, there are some new features and some policy updates that I would like to tell you about.

 

Some of the new features include the ability to inject configuration data, cloud trail, and VPC flow logs from AWS GovCloud (East). Also, you are now able to define up to five CLI commands in a sequence for automatic remediation workflow. Read all the details below, or from the release notes from our TechDocs team.

 

 

Prisma Cloud New Features*

FEATURE DESCRIPTION
Automated Remediation CLI for Multi-Step Tasks

In a Prisma Cloud custom policy, you can now define up to five CLI commands in a sequence for an automatic remediation workflow such as disassociating an EC2 instance from a security group before deleting the EC2 instance. To resolve an alert, you can separate each command with a semi-colon, and the sequence is executed in the order defined in policy. If an automated remediation CLI command fails, the execution stops at that command.

 

Event RQL Attribute for Anomaly Policy

The event where query enables you to identify and investigate events relating to the different types of anomalies such as bruteforce login attempts or location-based anomalies using the attribute anomaly.type.

 

For example, event where anomaly.type IN ( 'Activity-based Anomaly (UBA)', 'Bruteforce Login', 'Device finger print (Account Hijacking)', 'Impossible time travel (Account Hijacking)', 'Location & Activity-based Anomaly (UBA)', 'Location-based Anomaly (UBA)' )

 

You also have the option to look for anomalous activities with the has.anomaly or exclude them with NOT has.anomaly attributes.

 

Support for AWS GovCloud (East)

Prisma Cloud can now ingest configuration data, cloud trail and VPC flow logs from AWS GovCloud (East) region in addition to the current support for AWS GovCloud (West) region.

 

 

 

Prisma Cloud Policy Updates*

Then there are the Policy updates. This is an important section, as it shows which policies have been updated and what they do.

 

POLICY DESCRIPTION
Permission Updates for AWS CFTs

The permission in the AWS read-only and read-write CFTs for AWS public cloud and AWS GovCloud are updated to include ec2:describeRegions. With this update Prisma Cloud can get data on the AWS cloud accounts for all enabled regions.

 

Rename—Azure Security Center policy update

The policy Automatic provisioning of monitoring agent is set to Off in Security Center, which is renamed as Azure Security Center, and automatic provisioning of monitoring agent is set to Off. Also, the RQL is updated to use api.name = 'azure-security-center-settings'.

 

Update—AWS Amazon Machine Image (AMI) is publicly accessible

The policy AWS Amazon Machine Image (AMI) is publicly accessible is updated to find every public AMI owned by the account. These AMIs are now ingested, in addition to the AMIs that are private or shared with the account being monitored on Prisma Cloud.

 

AWS EMR cluster is not configured with security configuration

Identifies Amazon EMR clusters that do not use security configurations to configure data encryption, Kerberos authentication, and Amazon S3 authorization for EMRFS.

 

AWS EMR cluster is not configured with Kerberos authentication. Identifies AWS EMR clusters that are not configured with Kerberos authentication.
AWS EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS) Identifies EMR clusters that are not configured with Server-Side Encryption Key Management Service (SSE KMS) for data at rest encryption of Amazon S3 with EMRFS.
AWS EMR cluster is not configured with CSE CMK for data at rest encryption (Amazon S3 with EMRFS) Identifies EMR clusters which are not configured with Client Side Encryption Customer Master Keys (CSE CMK) for data at rest encryption of Amazon S3 with EMRFS.
AWS EMR cluster is not enabled with local disk encryption using CMK

Identifies AWS EMR clusters which are not enabled with local disk encryption using Customer Managed Key (CMK) to protect digital data confidentiality.

 

AWS EMR cluster is not enabled with local disk encryption

Identifies AWS EMR clusters that are not enabled for encrypting data stored on the local disk to protect digital data confidentiality.

 

AWS EMR clusters are not enabled with encryption in transit

Identifies AWS EMR clusters which are not enabled with encryption in transit, to protect data from unauthorized access as it travels through the network, between clients and storage servers.

 

AWS EMR clusters are not enabled with encryption at rest

Identifies AWS EMR clusters that are not enabled with encryption at rest to protect digital data confidentiality.

 

* – Both New Features and Policy updates were reprinted from the Features Introduced in December 2019 page.

 

Be sure to keep visiting the LIVEcommunity and blog for new updates or new features weekly.

 

More Info

For a history of all updates that Prisma Cloud has received in 2019, please see the following article:

Prisma™ Cloud Features Introduced in 2019

 

For more information on use and configuration for Prisma Cloud, please refer to the following:

Prisma™ Cloud Administrator’s Guide

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumb up) button, don't forget to SUBSCRIBE to the LIVEcommunity Blog area.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

1,470 Views
Ask Questions Get Answers Join the Live Community
Labels