on 01-25-2021 03:36 PM - edited on 02-04-2022 12:51 PM by RPrasadi
FEATURE
|
DESCRIPTION
|
---|---|
Additional Billable Resources
|
The Prisma Cloud Visibility, Compliance, and Governance modules now count your usage of the following resources towards Prisma Cloud credits:
With this update, the current list of resources counted towards Prisma Cloud credits are the following:
|
RQL Syntax Updates for Extensibility
|
The Prisma Cloud RQL syntax is updated to enable better visibility and support ingestion of new data sources to monitor your resources deployed across different cloud platforms.
All the existing RQL queries used in Prisma Cloud default policies, custom policies, saved searches and recent searches of the Investigate page on Prisma Cloud will be automatically updated to this new syntax, and do not need any action from you. For any out-of-band policies or automation scripts using Prisma Cloud search API:
https://api.<your Prisma Cloud tenant URL>/search/
, make sure to update the syntax as follows:
The config where, event where and network where query format is being deprecated. To give you time to get used to the language changes, RQL statements will work with the older syntax. When creating new queries or saved searches, please use the new query format, because the older syntax will be removed in a future release.
|
New Look
Policies Table |
The Policies page is updated with a new layout that supports a quicker page load time, better visual appeal, and it includes a new Group By option so you can aggregate policies using criteria that is important to you.
|
Jenkins Plugin for Scanning IaC Templates
|
Try the new Jenkins plugin to scan your IaC templates against Prisma Cloud default policies or custom policies you define, and mitigate security or compliance risks directly in your DevOps processes. This functionality allows you to define severity-based failure criteria for your organizational needs and detect potential issues before you deploy your code to production. The failure criteria you defined is compared against the number of actual issues found to conclude a pass or fail result.
The Jenkins plugin enable you to scan Terraform v.11 through v.13, AWS CFT, and Kubernetes manifests. The file extensions supported are .yaml and .json for CFT and Kubernetes, and .tf and .json for Terraform.
|
Plugins Updates to support IaC Scan API v2
|
The currently available Prisma Cloud plugins or extensions for Visual Studio Code, Azure DevOps, GitLab—SCM and CI/CD, and GitHub are updated to use the IaC Scan API v2, and the installation and set up workflows are simplified.
|
Build Alert Rules and Resource List for IaC Scan
|
Resource Lists on Prisma Cloud enable visibility and the permissions to view IaC scan results on the Prisma Cloud administrative console.
You can specify any tags or labels to identify cloud resources, in a Resource List on Prisma Cloud and define role-based access control to specific administrative users only. These users can then view the scan results, on the DevOps Inventory, for the IaC templates that match the specified tags.
For build-time checks of IaC templates, you can also now define Build alert rules, where you choose the policies to detect security issues or misconfiguration and associate a resource list to match for specific tags.
You can then view the scan results on the DevOps Inventory.
|
DevOps Inventory
|
Use
Inventory
DevOps
The tabular view includes the details such as the scan status, the user who initiated the scan, the failure criteria defined for the scan, and resource list. When a template fails the scan, the scan results displays the count of the security issues detected— sorted by severity—and the list of policies that caused the failure.
|
API Ingestion
|
AWS Directory Service
—
aws-ds-directory
Additional permissions required:
ds:DescribeDirectories
ds:ListTagsForResource
|
AWS Web Application Firewall (v2)
—
aws-waf-v2-global-web-acl-resource
Additional permissions required:
wafv2:GetWebACL
wafv2:GetLoggingConfiguration
|
|
|
Azure SQL Database
—
azure-sql-server-list
The API is updated to retrieve the API lock and tag information in the JSON response.
|
|
Azure Monitor
—
azure-monitor-log-profiles-list
Additional permissions required:
microsoft.insights/diagnosticSettings/read
The azure_prisma_cloud_read_only_role.json will be updated to include this permission. |
|
Azure Storage
—
azure-storage-account-list
Updated the API to retrieve storage service properties for Cross-Origin Resource Sharing (CORS) metadata.
|
NEW POLICIES AND POLICY UPDATES
|
|
---|---|
New Policies
|
The following new policies are being added:
Azure Active Directory Guest users found
Identifies guest user accounts added on your Azure Active Directory instance to give you visibility so that you can review these accounts and reduce risk.Note: This policy monitors Azure Active Directory instances only and does not monitor Azure Subscriptions.
|
|
Azure Cosmos DB IP range filter not configured
Identifies Azure Cosmos databases where the IP range filter is empty and it does not restrict access to a defined set of IP addresses or IP range.
|
|
AWS SageMaker notebook instance is not placed in VPC
Identifies SageMaker notebook instances that are not placed inside a VPC to ensure that it cannot be accessed outside a VPC network.
|
|
AWS SageMaker notebook instance not encrypted using Customer Managed Key
Identifies SageMaker notebook instances that are not encrypted using Customer Managed Key to have more granular control over the data-at-rest encryption/decryption process and meet compliance requirements.
|
|
AWS SageMaker notebook instance IAM policy overly permissive to all traffic
Identifies SageMaker notebook instances with IAM policies that are overly permissive to all traffic, and does not restrict access to authorized users and applications only.
|
|
GCP Kubernetes cluster node auto-upgrade configuration disabled
Identifies GCP Kubernetes cluster nodes where the auto-repair configuration disabled, and therefore the nodes in your cluster are not up-to-date with the cluster master version when your master is updated.
|
|
GCP Kubernetes cluster node auto-repair configuration disabled
Identifies GCP Kubernetes cluster nodes where the auto-upgrade configuration is disabled and prevents periodic checks on the health state of each node in your cluster.
|
|
GCP Kubernetes Cluster Shielded GKE Nodes feature disabled
Identifies Kubernetes clusters for which Shielded GKE nodes is not enabled to harden the underlying node and protect against a host of attacks against boot and root-kits.
|
Policy Updates—Recommendation
|
AWS Default Security Group does not restrict all traffic
Updated Recommendation—The recommendation is updated to meet the revised CIS guideline for the policy.
|
Policy Updates—RQL and Metadata
|
AWS Elasticsearch IAM policy allows internet traffic
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any((Condition.IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains ::/0) and Effect equals Allow and Action anyStartWith es:)] exists
With this change, the policy is enhanced to check for the IPv6 default route ::/0..
|
Azure Security Center email notification for subscription owner is not set
Updated Metadata—Displays the timestamp for the
lastModifiedOn
attribute to indicate when the last change was made in Azure Security Center. |
|
Azure Monitor log profile does not capture all activities
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.categories[] does not contain Write or properties.categories[] does not contain Delete or properties.categories[*] does not contain Action)'
With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
|
|
Azure log profile not capturing activity logs for all regions
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and properties.isCapturingLogsForAllRegions is false'
With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
|
|
Activity Log Retention should not be set to less than 365 days
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND cloud.service = 'Azure Monitor' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.retentionPolicy !exists or (properties.retentionPolicy.days != 0 and properties.retentionPolicy.days < 365))'
With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
|
|
Azure SQL Database with Auditing Retention less than 90 days
Updated RQL—The RQL has been updated to
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show Y;
With this change, the policy checks the audit policy configured for the SQL server. Some alerts may be reopened due this additional check.
|
|
|
CHANGE
|
DESCRIPTION
|
---|---|
Resource List APIs
|
A new set of APIs enables you to create and manage Resource Lists in Prisma Cloud.
|
Update
Deprecated Prisma Cloud Licensing APIs have been removed |
The following deprected APIs have been removed:
|