This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Features Introduced in 20.11.2 Release, November 2020

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Features Introduced in 20.11.2 Release, November 2020

ENwankwo1
L0 Member

on ‎01-25-2021 03:36 PM - edited on ‎02-04-2022 12:51 PM by

Did you find this article helpful? Yes No
No ratings

 

New Features Introduced in 20.11.2

 

New Features

 
FEATURE
DESCRIPTION
Additional Billable Resources
The Prisma Cloud Visibility, Compliance, and Governance modules now count your usage of the following resources towards Prisma Cloud credits:
 
  • Azure—Azure PostgreSQL Database
 
  • Azure—SQL Managed Instance
 
  • GCP—GCP Load Balancing
 
  • GCP—Cloud NAT
 
With this update, the current list of resources counted towards Prisma Cloud credits are the following:
 
  • AWS
  • EC2
  • RDS
  • Redshift
  • ELB
  • NAT gateway
  • Azure
  • Virtual Machines
  • SQL DB
  • PostgreSQL
  • SQL Managed Instance
  • Load Balancer
  • GCP
  • GCE
  • CloudSQL
  • Cloud Load Balancing
  • Cloud NAT
  • Alibaba Cloud
  • ECS
 
RQL Syntax Updates for Extensibility
The Prisma Cloud RQL syntax is updated to enable better visibility and support ingestion of new data sources to monitor your resources deployed across different cloud platforms.
All the existing RQL queries used in Prisma Cloud default policies, custom policies, saved searches and recent searches of the Investigate page on Prisma Cloud will be automatically updated to this new syntax, and do not need any action from you. For any out-of-band policies or automation scripts using Prisma Cloud search API:
https://api.<your Prisma Cloud tenant URL>/search/
, make sure to update the syntax as follows:
 
  • config where <rest of the query> to config from cloud.resource where <rest of the query>
 
  • event where <rest of the query> to event from cloud.audit_logs where <rest of the query>
 
  • network where <rest of the query> to network from vpc.flow_records where <rest of the query>
 
The config where, event where and network where query format is being deprecated. To give you time to get used to the language changes, RQL statements will work with the older syntax. When creating new queries or saved searches, please use the new query format, because the older syntax will be removed in a future release.
New Look
 Policies Table
The Policies page is updated with a new layout that supports a quicker page load time, better visual appeal, and it includes a new Group By option so you can aggregate policies using criteria that is important to you.
 
Jenkins Plugin for Scanning IaC Templates
Try the new Jenkins plugin to scan your IaC templates against Prisma Cloud default policies or custom policies you define, and mitigate security or compliance risks directly in your DevOps processes. This functionality allows you to define severity-based failure criteria for your organizational needs and detect potential issues before you deploy your code to production. The failure criteria you defined is compared against the number of actual issues found to conclude a pass or fail result.
The Jenkins plugin enable you to scan Terraform v.11 through v.13, AWS CFT, and Kubernetes manifests. The file extensions supported are .yaml and .json for CFT and Kubernetes, and .tf and .json for Terraform.
Plugins Updates to support IaC Scan API v2
The currently available Prisma Cloud plugins or extensions for Visual Studio Code, Azure DevOps, GitLab—SCM and CI/CD, and GitHub are updated to use the IaC Scan API v2, and the installation and set up workflows are simplified.
Build Alert Rules and Resource List for IaC Scan
Resource Lists on Prisma Cloud enable visibility and the permissions to view IaC scan results on the Prisma Cloud administrative console.
You can specify any tags or labels to identify cloud resources, in a Resource List on Prisma Cloud and define role-based access control to specific administrative users only. These users can then view the scan results, on the DevOps Inventory, for the IaC templates that match the specified tags.
For build-time checks of IaC templates, you can also now define Build alert rules, where you choose the policies to detect security issues or misconfiguration and associate a resource list to match for specific tags.
 

 

Build alert rules do not create new alerts or notifications for policy violations, but they help you ensure all IaC template that include specific tags are consistently scanned against the same set of policies.
 

 

You can then view the scan results on the DevOps Inventory.
DevOps Inventory
Use 
Inventory
DevOps
 to review the IaC scan results. The DevOps Inventory provides a bird’s eye view of the total number of IaC scans performed across all the Prisma Cloud IaC Scan plugins including twistcli and directly accessing the IaC Scan APIs. It also displays the results on how many scans passed or failed policy checks, and how they sort by severity for your enforcement standards. The visual dashboard provides scan trends and results grouped by the repository that hosts your source code or templates.
 

 

The tabular view includes the details such as the scan status, the user who initiated the scan, the failure criteria defined for the scan, and resource list. When a template fails the scan, the scan results displays the count of the security issues detected— sorted by severity—and the list of policies that caused the failure.
 

 

 
 
API Ingestion
AWS Directory Service
aws-ds-directory
Additional permissions required:
ds:DescribeDirectories
ds:ListTagsForResource
AWS Web Application Firewall (v2)
aws-waf-v2-global-web-acl-resource
Additional permissions required:
wafv2:GetWebACL
wafv2:GetLoggingConfiguration
 
Azure SQL Database
azure-sql-server-list
The API is updated to retrieve the API lock and tag information in the JSON response.
 
Azure Monitor 
azure-monitor-log-profiles-list
Additional permissions required:
microsoft.insights/diagnosticSettings/read
The azure_prisma_cloud_read_only_role.json will be updated to include this permission.
 
Azure Storage
azure-storage-account-list
Updated the API to retrieve storage service properties for Cross-Origin Resource Sharing (CORS) metadata.
 
 
 

Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
 
NEW POLICIES AND POLICY UPDATES
New Policies
The following new policies are being added:
Azure Active Directory Guest users found
Identifies guest user accounts added on your Azure Active Directory instance to give you visibility so that you can review these accounts and reduce risk.Note: This policy monitors Azure Active Directory instances only and does not monitor Azure Subscriptions.
 
Azure Cosmos DB IP range filter not configured
Identifies Azure Cosmos databases where the IP range filter is empty and it does not restrict access to a defined set of IP addresses or IP range.
 
AWS SageMaker notebook instance is not placed in VPC
Identifies SageMaker notebook instances that are not placed inside a VPC to ensure that it cannot be accessed outside a VPC network.
 
AWS SageMaker notebook instance not encrypted using Customer Managed Key
Identifies SageMaker notebook instances that are not encrypted using Customer Managed Key to have more granular control over the data-at-rest encryption/decryption process and meet compliance requirements.
 
AWS SageMaker notebook instance IAM policy overly permissive to all traffic
Identifies SageMaker notebook instances with IAM policies that are overly permissive to all traffic, and does not restrict access to authorized users and applications only.
 
GCP Kubernetes cluster node auto-upgrade configuration disabled
Identifies GCP Kubernetes cluster nodes where the auto-repair configuration disabled, and therefore the nodes in your cluster are not up-to-date with the cluster master version when your master is updated.
 
GCP Kubernetes cluster node auto-repair configuration disabled
Identifies GCP Kubernetes cluster nodes where the auto-upgrade configuration is disabled and prevents periodic checks on the health state of each node in your cluster.
 
GCP Kubernetes Cluster Shielded GKE Nodes feature disabled
Identifies Kubernetes clusters for which Shielded GKE nodes is not enabled to harden the underlying node and protect against a host of attacks against boot and root-kits.
Policy Updates—Recommendation
AWS Default Security Group does not restrict all traffic
Updated Recommendation—The recommendation is updated to meet the revised CIS guideline for the policy.
Policy Updates—RQL and Metadata
AWS Elasticsearch IAM policy allows internet traffic
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any((Condition.IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains ::/0) and Effect equals Allow and Action anyStartWith es:)] exists
With this change, the policy is enhanced to check for the IPv6 default route ::/0..
Azure Security Center email notification for subscription owner is not set
Updated Metadata—Displays the timestamp for the 
lastModifiedOn
 attribute to indicate when the last change was made in Azure Security Center.
Azure Monitor log profile does not capture all activities
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.categories[] does not contain Write or properties.categories[] does not contain Delete or properties.categories[*] does not contain Action)'
With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
Azure log profile not capturing activity logs for all regions
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and properties.isCapturingLogsForAllRegions is false'
With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
Activity Log Retention should not be set to less than 365 days
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND cloud.service = 'Azure Monitor' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.retentionPolicy !exists or (properties.retentionPolicy.days != 0 and properties.retentionPolicy.days < 365))'
With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
Azure SQL Database with Auditing Retention less than 90 days
Updated RQL—The RQL has been updated to
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show Y;
With this change, the policy checks the audit policy configured for the SQL server. Some alerts may be reopened due this additional check.
 
 
 
 

REST API Updates

 
CHANGE
DESCRIPTION
Resource List APIs
A new set of APIs enables you to create and manage Resource Lists in Prisma Cloud.
Update
 Deprecated Prisma Cloud Licensing APIs have been removed
The following deprected APIs have been removed:
 
  • POST /usage/{cloud_type}
 
  • POST /timeline/usage
 
  • POST /v2/usage
 

 

Rate this article:
0 Likes Likes
Register or Sign-in
Article Dashboard
Version history
Last update:
‎02-04-2022 12:51 PM
Updated by:
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks