on 01-25-2021 10:21 AM - edited on 02-04-2022 01:29 PM by RPrasadi
FEATURE
|
DESCRIPTION
|
---|---|
Role-Based Authentication on Amazon SQS Integration
|
When integrating Prisma Cloud with Amazon SQS, you now have the flexibility to specify an IAM Role to enable alert notifications to SQS. If you use Assume Role for cross-account access to AWS resources, you can provide the Role ARN and External ID associated with the IAM Role on Prisma Cloud.
|
Support for CIS v1.1.0 on GCP and CIS v1.3.0 on AWS
|
The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in the benchmark as outlined in v1.1.0 on GCP and v1.3.0 on AWS. For example, requirements and sections are updated on GCP to add support for BigQuery, IAM, and AWS adds IAM, SNS, S3. Refer to the CIS benchmarks for details on all the services that are in scope for the update.
|
Trusted Source Exclusion for UEBA Anomaly Policies
|
To exclude internal or external IP addresses, such as addresses that belong to system administrators or those you use for testing access to new instances or services, you can now add in a CIDR format on
Settings
Anomaly Settings
Anomaly Trusted List
If you had previously specified these IP addresses on
Settings
Trusted IP Addresses
Trusted Alert IP Addresses
Anomaly Trusted List
you can specify a specific cloud account or VPC with which the addresses are associated. |
API Ingestion
|
AWS Glue
aws-glue-connection
Additional permissions required:
Permission: glue:GetConnection
|
Azure Virtual Network
loadBalancerBackendAddressPools
for:
azure-network-lb-list
azure-network-nic-list
|
|
Azure Event Hub
azure-event-hub
Additional permissions required:
"Microsoft.EventHub/namespaces/eventhubs/read"
"Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read"
If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. |
|
Google Cloud Spanner
gcloud-cloud-spanner-instance
Additional permissions required:
spanner.instances.list
spanner.instances.getIamPolicy
These permissions are included in the predefined Project Viewer role.
|
|
Update
Risk Rating is Removed |
Prisma Cloud has removed Risk rating from the following places:
The deprecation notice was published starting 20.8.2.
|
POLICY NAME
|
DESCRIPTION
|
---|---|
New Policies
|
GCP SQL database is assigned with public IP
—Identifies GCP SQL databases that are assigned a public IP address, which increases application latency and network risks.GCP VM instance with the external IP address
—Identifies VM instances that are accessible using an external or public IP address. To reduce your attack surface, VM instances should not have public/external IP address and should be configured behind load balancers, to minimize the risks associated with direct exposure to the internet.GCP VM instance with Shielded VM features disabled
—Identifies VM instances on which the Shielded VM features are disabled. Shielded VMs are VMs on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.GCP SQL database instance is not configured with automated backups
—Identifies the GCP SQL database instances that are not configured with automated backups to protect against loss or damage.AWS Network ACLs allow ingress traffic to server administration ports
—Identifies AWS Network Access Control List (NACL) that include rules to allow ingress traffic on server administration ports. |
Policy Updates—RQL and Metadata
|
The following policies are updated:
Azure disk is unattached and not encrypted
Policy Name Updated—
Azure disk is unattached and is encrypted with the default encryption key instead of ADE/CMK
.Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-disk-list' AND json.rule = '(managedBy does not exist or managedBy is empty) and (encryptionSettings does not exist or encryptionSettings.enabled is false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
With this change this policy will identify Azure disks that are unattached and not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK]. |
|
Azure Data disk is not encrypted
Policy Name Updated—
Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK
.Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType does not exist and managedBy exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK]. |
|
Azure disk for VM operating system is not encrypted at rest using ADE
Policy Name Updated—
Azure VM OS disk is encrypted with the default encryption key instead of ADE/CMK
.Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. |
|
SQL Instances do not have SSL configured
Updated RQL—The RQL has been updated to
config where cloud.type = 'gcp' AND api.name='gcloud-sql-instances-list' and json.rule = "(settings.ipConfiguration.requireSsl is true and _DateTime.ageInDays(serverCaCert.expirationTime) > -1) or not (settings.ipConfiguration.requireSsl is true)"
With this change, the policy identifies SQL instances with expired SSL certificates in addition to instances on which SSL is not enabled. |
CHANGE
|
DESCRIPTION
|
---|---|
Update
Deprecated Prisma Cloud Public REST APIs for IP Allow List have been removed |
The following APIs have been removed:
|
Update
Deprecated Prisma Cloud Public REST API fields for Enterprise Settings have been removed |
The enterprise settings model fields
anomalyTrainingModelThreshold
and
anomalyAlertDisposition
have been removed. These fields are no longer in:
|
Amazon SQS integration
|
The request body for the Prisma Cloud APIs to add, update, or test an Amazon SQS integration includes two new parameters for IAM role support. The new parameters are:
The APIs that include these new request body parameters are:
|
Resource RRN
|
The object model for the Prisma Cloud Restricted Resource Name (RRN) includes a new read-only property in the response object for the following APIs:
|