Features Introduced in 20.11.2 Release, November 2020

ENwankwo1 · ‎12-08-2020

New Features Introduced in 20.11.2

New Features

FEATURE	DESCRIPTION
Additional Billable Resources	The Prisma Cloud Visibility, Compliance, and Governance modules now count your usage of the following resources towards Prisma Cloud credits: Azure—Azure PostgreSQL Database Azure—SQL Managed Instance GCP—GCP Load Balancing GCP—Cloud NAT With this update, the current list of resources counted towards Prisma Cloud credits are the following: AWS EC2 RDS Redshift ELB NAT gateway Azure Virtual Machines SQL DB PostgreSQL SQL Managed Instance Load Balancer GCP GCE CloudSQL Cloud Load Balancing Cloud NAT Alibaba Cloud ECS
RQL Syntax Updates for Extensibility	The Prisma Cloud RQL syntax is updated to enable better visibility and support ingestion of new data sources to monitor your resources deployed across different cloud platforms. All the existing RQL queries used in Prisma Cloud default policies, custom policies, saved searches and recent searches of the Investigate page on Prisma Cloud will be automatically updated to this new syntax, and do not need any action from you. For any out-of-band policies or automation scripts using Prisma Cloud search API: https://api.<your Prisma Cloud tenant URL>/search/ , make sure to update the syntax as follows: config where <rest of the query> to config from cloud.resource where <rest of the query> event where <rest of the query> to event from cloud.audit_logs where <rest of the query> network where <rest of the query> to network from vpc.flow_records where <rest of the query> The config where, event where and network where query format is being deprecated. To give you time to get used to the language changes, RQL statements will work with the older syntax. When creating new queries or saved searches, please use the new query format, because the older syntax will be removed in a future release.
New Look Policies Table	The Policies page is updated with a new layout that supports a quicker page load time, better visual appeal, and it includes a new Group By option so you can aggregate policies using criteria that is important to you.
Jenkins Plugin for Scanning IaC Templates	Try the new Jenkins plugin to scan your IaC templates against Prisma Cloud default policies or custom policies you define, and mitigate security or compliance risks directly in your DevOps processes. This functionality allows you to define severity-based failure criteria for your organizational needs and detect potential issues before you deploy your code to production. The failure criteria you defined is compared against the number of actual issues found to conclude a pass or fail result. The Jenkins plugin enable you to scan Terraform v.11 through v.13, AWS CFT, and Kubernetes manifests. The file extensions supported are .yaml and .json for CFT and Kubernetes, and .tf and .json for Terraform.
Plugins Updates to support IaC Scan API v2	The currently available Prisma Cloud plugins or extensions for Visual Studio Code, Azure DevOps, GitLab—SCM and CI/CD, and GitHub are updated to use the IaC Scan API v2, and the installation and set up workflows are simplified.
Build Alert Rules and Resource List for IaC Scan	Resource Lists on Prisma Cloud enable visibility and the permissions to view IaC scan results on the Prisma Cloud administrative console. You can specify any tags or labels to identify cloud resources, in a Resource List on Prisma Cloud and define role-based access control to specific administrative users only. These users can then view the scan results, on the DevOps Inventory, for the IaC templates that match the specified tags. For build-time checks of IaC templates, you can also now define Build alert rules, where you choose the policies to detect security issues or misconfiguration and associate a resource list to match for specific tags. Build alert rules do not create new alerts or notifications for policy violations, but they help you ensure all IaC template that include specific tags are consistently scanned against the same set of policies. You can then view the scan results on the DevOps Inventory.
DevOps Inventory	Use Inventory DevOps to review the IaC scan results. The DevOps Inventory provides a bird’s eye view of the total number of IaC scans performed across all the Prisma Cloud IaC Scan plugins including twistcli and directly accessing the IaC Scan APIs. It also displays the results on how many scans passed or failed policy checks, and how they sort by severity for your enforcement standards. The visual dashboard provides scan trends and results grouped by the repository that hosts your source code or templates. The tabular view includes the details such as the scan status, the user who initiated the scan, the failure criteria defined for the scan, and resource list. When a template fails the scan, the scan results displays the count of the security issues detected— sorted by severity—and the list of policies that caused the failure.
API Ingestion	AWS Directory Service — aws-ds-directory Additional permissions required: ds:DescribeDirectories ds:ListTagsForResource
API Ingestion	AWS Web Application Firewall (v2) — aws-waf-v2-global-web-acl-resource Additional permissions required: wafv2:GetWebACL wafv2:GetLoggingConfiguration
	Azure SQL Database — azure-sql-server-list The API is updated to retrieve the API lock and tag information in the JSON response.
	Azure Monitor — azure-monitor-log-profiles-list Additional permissions required: microsoft.insights/diagnosticSettings/read The azure_prisma_cloud_read_only_role.json will be updated to include this permission.
	Azure Storage — azure-storage-account-list Updated the API to retrieve storage service properties for Cross-Origin Resource Sharing (CORS) metadata.

Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.

NEW POLICIES AND POLICY UPDATES
New Policies	The following new policies are being added: Azure Active Directory Guest users found Identifies guest user accounts added on your Azure Active Directory instance to give you visibility so that you can review these accounts and reduce risk.Note: This policy monitors Azure Active Directory instances only and does not monitor Azure Subscriptions.
	Azure Cosmos DB IP range filter not configured Identifies Azure Cosmos databases where the IP range filter is empty and it does not restrict access to a defined set of IP addresses or IP range.
	AWS SageMaker notebook instance is not placed in VPC Identifies SageMaker notebook instances that are not placed inside a VPC to ensure that it cannot be accessed outside a VPC network.
	AWS SageMaker notebook instance not encrypted using Customer Managed Key Identifies SageMaker notebook instances that are not encrypted using Customer Managed Key to have more granular control over the data-at-rest encryption/decryption process and meet compliance requirements.
	AWS SageMaker notebook instance IAM policy overly permissive to all traffic Identifies SageMaker notebook instances with IAM policies that are overly permissive to all traffic, and does not restrict access to authorized users and applications only.
	GCP Kubernetes cluster node auto-upgrade configuration disabled Identifies GCP Kubernetes cluster nodes where the auto-repair configuration disabled, and therefore the nodes in your cluster are not up-to-date with the cluster master version when your master is updated.
	GCP Kubernetes cluster node auto-repair configuration disabled Identifies GCP Kubernetes cluster nodes where the auto-upgrade configuration is disabled and prevents periodic checks on the health state of each node in your cluster.
	GCP Kubernetes Cluster Shielded GKE Nodes feature disabled Identifies Kubernetes clusters for which Shielded GKE nodes is not enabled to harden the underlying node and protect against a host of attacks against boot and root-kits.
Policy Updates—Recommendation	AWS Default Security Group does not restrict all traffic Updated Recommendation—The recommendation is updated to meet the revised CIS guideline for the policy.
Policy Updates—RQL and Metadata	AWS Elasticsearch IAM policy allows internet traffic Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any((Condition.IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains ::/0) and Effect equals Allow and Action anyStartWith es:)] exists With this change, the policy is enhanced to check for the IPv6 default route ::/0..
	Azure Security Center email notification for subscription owner is not set Updated Metadata—Displays the timestamp for the lastModifiedOn attribute to indicate when the last change was made in Azure Security Center.
	Azure Monitor log profile does not capture all activities Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.categories[] does not contain Write or properties.categories[] does not contain Delete or properties.categories[*] does not contain Action)' With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
	Azure log profile not capturing activity logs for all regions Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and properties.isCapturingLogsForAllRegions is false' With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
	Activity Log Retention should not be set to less than 365 days Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'azure' AND cloud.service = 'Azure Monitor' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.retentionPolicy !exists or (properties.retentionPolicy.days != 0 and properties.retentionPolicy.days < 365))' With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
	Azure SQL Database with Auditing Retention less than 90 days Updated RQL—The RQL has been updated to config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show Y; With this change, the policy checks the audit policy configured for the SQL server. Some alerts may be reopened due this additional check.

REST API Updates

CHANGE	DESCRIPTION
Resource List APIs	A new set of APIs enables you to create and manage Resource Lists in Prisma Cloud.
Update Deprecated Prisma Cloud Licensing APIs have been removed	The following deprected APIs have been removed: POST /usage/{cloud_type} POST /timeline/usage POST /v2/usage

Strata

Prisma

Cortex

Features Introduced in 20.11.2 Release, November 2020

Features Introduced in 20.11.2 Release, November 2020