Prisma Cloud Release Notes 20.10.1, for October, 2020

Printer Friendly Page
Did you find this article helpful? Yes No
No ratings
Features Introduced in 20.10.1

 

New Features
 
 
 
 
 
 
 
 
 
 
 
 
 
FEATURE
DESCRIPTION
Role-Based Authentication on Amazon SQS Integration
When integrating Prisma Cloud with Amazon SQS, you now have the flexibility to specify an IAM Role to enable alert notifications to SQS. If you use Assume Role for cross-account access to AWS resources, you can provide the Role ARN and External ID associated with the IAM Role on Prisma Cloud.
 

 

Support for CIS v1.1.0 on GCP and CIS v1.3.0 on AWS
The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in the benchmark as outlined in v1.1.0 on GCP and v1.3.0 on AWS. For example, requirements and sections are updated on GCP to add support for BigQuery, IAM, and AWS adds IAM, SNS, S3. Refer to the CIS benchmarks for details on all the services that are in scope for the update.
 

 

Trusted Source Exclusion for UEBA Anomaly Policies
To exclude internal or external IP addresses, such as addresses that belong to system administrators or those you use for testing access to new instances or services, you can now add in a CIDR format on 
Settings
Anomaly Settings
Anomaly Trusted List
. Any addresses included in this list will not generate alerts against the specified Prisma Cloud Anomaly Policies.
 

 

If you had previously specified these IP addresses on 
Settings
Trusted IP Addresses
Trusted Alert IP Addresses
, use this enhancement to delete the existing configuration and re-add the addresses to the Anomaly Trusted List. When you add the CIDR block to the 
Anomaly Trusted List
 you can specify a specific cloud account or VPC with which the addresses are associated.
API Ingestion
AWS Glue
aws-glue-connection
Additional permissions required:
Permission: glue:GetConnection
Azure Virtual Network
is updated to include information on 
loadBalancerBackendAddressPools
 for:
azure-network-lb-list
azure-network-nic-list
Azure Event Hub
azure-event-hub
Additional permissions required:
"Microsoft.EventHub/namespaces/eventhubs/read"
"Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read"
If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json.
Google Cloud Spanner
gcloud-cloud-spanner-instance
Additional permissions required:
spanner.instances.list
These permissions are included in the predefined Project Viewer role.
Update
 Risk Rating is Removed
Prisma Cloud has removed Risk rating from the following places:
 
  • On 
    Dashboard
    SecOps
    , the 
    Risk Rating By Scanned Accounts
     widget.
 
  • On the 
    Cloud Security Assessment
     report, the Scanned Resources by Risk Rating chart.
 
  • On 
    Alerts
    Overview
    , the filter for Risk Grade.
 
  • In the 
    Rating
     column on the Alerts details page.
 
  • Rating
     column in the .csv file, when you download alerts or receive an attachment as a scheduled alert email.
 
The deprecation notice was published starting 20.8.2.
New Policy and Policy Updates
See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
 
 
 
 
 
 
 
 
 
 
POLICY NAME
DESCRIPTION
New Policies
GCP SQL database is assigned with public IP
—Identifies GCP SQL databases that are assigned a public IP address, which increases application latency and network risks.
GCP VM instance with the external IP address
—Identifies VM instances that are accessible using an external or public IP address. To reduce your attack surface, VM instances should not have public/external IP address and should be configured behind load balancers, to minimize the risks associated with direct exposure to the internet.
GCP VM instance with Shielded VM features disabled
—Identifies VM instances on which the Shielded VM features are disabled. Shielded VMs are VMs on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
GCP SQL database instance is not configured with automated backups
—Identifies the GCP SQL database instances that are not configured with automated backups to protect against loss or damage.
AWS Network ACLs allow ingress traffic to server administration ports
—Identifies AWS Network Access Control List (NACL) that include rules to allow ingress traffic on server administration ports.
Policy Updates—RQL and Metadata
The following policies are updated:
Azure disk is unattached and not encrypted
Policy Name Updated—
Azure disk is unattached and is encrypted with the default encryption key instead of ADE/CMK
.
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-disk-list' AND json.rule = '(managedBy does not exist or managedBy is empty) and (encryptionSettings does not exist or encryptionSettings.enabled is false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
With this change this policy will identify Azure disks that are unattached and not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].
 
Azure Data disk is not encrypted
Policy Name Updated—
Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK
.
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType does not exist and managedBy exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].
 
Azure disk for VM operating system is not encrypted at rest using ADE
Policy Name Updated—
Azure VM OS disk is encrypted with the default encryption key instead of ADE/CMK
.
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK].
 
SQL Instances do not have SSL configured
Updated RQL—The RQL has been updated to
config where cloud.type = 'gcp' AND api.name='gcloud-sql-instances-list' and json.rule = "(settings.ipConfiguration.requireSsl is true and _DateTime.ageInDays(serverCaCert.expirationTime) > -1) or not (settings.ipConfiguration.requireSsl is true)"
With this change, the policy identifies SQL instances with expired SSL certificates in addition to instances on which SSL is not enabled.
REST API Updates
 
 
 
 
 
 
 
 
 
CHANGE
DESCRIPTION
Update
 Deprecated Prisma Cloud Public REST APIs for IP Allow List have been removed
The following APIs have been removed:
 
  • GET /whitelist/network
 
  • POST /whitelist/network
 
  • GET /whitelist/network/{uuid}
 
  • PUT /whitelist/network/{uuid}
 
  • POST /whitelist/network/{uuid}/cidr
 
  • PUT /whitelist/network/{uuid}/cidr/{cidrUuid}
 
  • DELETE /whitelist/network/{uuid}/cidr/{cidrUuid}
 
  • GET /ip_whitelist_login
 
  • POST /ip_whitelist_login
 
  • GET /ip_whitelist_login/{id}
 
  • PUT /ip_whitelist_login/{id}
 
  • DELETE /ip_whitelist_login/{id}
 
  • GET /ip_whitelist_login/status
 
  • PATCH /ip_whitelist_login/status
 
  • GET /ip_whitelist_login/tab
 
Update
 Deprecated Prisma Cloud Public REST API fields for Enterprise Settings have been removed
The enterprise settings model fields 
anomalyTrainingModelThreshold
 and 
anomalyAlertDisposition
 have been removed. These fields are no longer in:
 
  • The response object for 
    GET /settings/enterprise
 
  • The request body parameters for 
    POST /settings/enterprise
 
Amazon SQS integration
The request body for the Prisma Cloud APIs to add, update, or test an Amazon SQS integration includes two new parameters for IAM role support. The new parameters are:
 
  • integrationConfig.roleArn
 
  • integrationConfig.externalId
 
The APIs that include these new request body parameters are:
 
  • POST /integration/test
 
  • POST /integration
 
  • PUT /integration/{id}
 
Resource RRN
The object model for the Prisma Cloud Restricted Resource Name (RRN) includes a new read-only property 
idmapId
. The response object for each of the following APIs includes this new property:
 
  • GET /resource
 
  • GET /resource/raw
 
Version history
Revision #:
2 of 2
Last update:
‎10-18-2020 02:35 PM
Updated by:
 
Contributors