cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Prisma Cloud Release Notes, Features Introduced in 20.11.1, November 2020
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Prisma Cloud Release Notes, Features Introduced in 20.11.1, November 2020

ENwankwo1
L3 Networker

on ‎01-25-2021 03:13 PM

Did you find this article helpful? Yes No
No ratings

 

Features Introduced in 20.11.1

 

New Features

 
FEATURE
DESCRIPTION
Data Profiles for Prisma Cloud Data Security
To provide control over which data profiles you use to discover sensitive content in your S3 buckets, you can now enable and disable data profiles.
For example, if you want Prisma Cloud to generate alerts for violations that pertain to PII and Intellectual Property only, you can disable the other data profiles. Doing so allows you reduce the number of alerts and focus on data security issues that you care about the most.
 

 
Scan Status in Data Inventory
If you have enabled the Prisma Cloud Data Security subscription, you can review the scan status on the Data Inventory table on 
Inventory
Data
.
 

 

The states are:
 
  • Scanning
    —Object is submitted successfully.
 
  • Failed
    —Object could not be submitted for scanning.
 
  • Not Sensitive
    —The object does not contain sensitive information for the data profiles and data patterns used to scan.
 
  • Not Supported
    —File type is not supported for scanning.
 
  • Too Large
    —File size is greater than 20MB.
 
Serverless Remediation Scripts for AWS
For auto-remediation of alerts generated against resources deployed on AWS, Prisma Cloud provides scripts that use AWS Lambda. The Prisma Cloud platform sends alert messages to an AWS SQS Queue, which in turn invokes a lambda function 
index_prisma.py
. The function then calls the appropriate runbook script to remediate the alert(s).To use AWS Lambda for automatic remediation, you do not need to give Prisma Cloud read-write access to your AWS accounts, and is an alternative way for you to try remediation for violating resources. Get the scripts from the GitHub repository.
There are 46 runbooks currently, and these are available to you at no cost. Please use the runbooks and flaunt your expertise by contributing to the community, if you have a good way to solve a security concern.
RQL Attribute 
azure.resource.group
A new Config query RQL attribute 
azure.resource.group
 enables you to search for the configuration of the resources that are hosted within a specific Azure Resource Group.
For example: 
config where resource.status = Active AND azure.resource.group IN ( 'Azureprod1' , 'Azureprod-2' )
 

 
API Ingestion
Azure Compute
azure-virtual-machine-scale-set-vm
Additional permissions required:
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
Google Cloud Spanner
gcloud-cloud-spanner-database
Additional permissions required:
spanner.databases.list
Optional
spanner.databases.getIamPolicy
These permissions are included in the predefined Project Viewer role.
AWS Cloud Formation
aws-cloudformation-describe-stacks
Updated the API to now retrieve metadata on 
enableTerminationProtection
.
Amazon S3 Glacier
aws-glacier-vault
Additional permissions required:
glacier:ListTagsForVault
glacier:ListVaults
are included with the Security Audit policy
 
 
 

New Policy and Policy Updates

 
POLICY NAME
DESCRIPTION
New Policies
The following new policies are being added:
AWS Database Migration Service endpoint do not have SSL configured
Identifies Database Migration Service (DMS) endpoints that are not configured with SSL to encrypt connections between source and target endpoints.
 
AWS SageMaker notebook instance not configured with data encryption at rest using KMS key
Identifies SageMaker notebook instances that are not configured with data encryption at rest using the AWS Managed KMS key.
 
AWS SageMaker notebook instance configured with direct internet access
Identifies SageMaker notebook instances that are configured with direct internet access and allow unrestricted access from any source outside the VPC to establish a connection to the notebook instance.
 
Azure Application gateways listener that allow connection requests over HTTP
Identifies Azure application gateways that accept connection requests over HTTP, instead of using HTTPS for encrypted communication between application clients and gateways.
 
GCP cloud storage bucket with uniform bucket-level access disabled
Identifies the storage buckets not configured with uniform bucket-level access. This will help support uniform permission system by allowing access only through cloud IAM.
 
GCP VM instance configured with default service account
Identifies the GCP VM instances configured with the default service account, which increases the risk of privilege escalations if your VM is compromised.
Policy Updates—Description
AWS IAM policy attached to users
Updated Description—This policy identifies IAM policies attached to users. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups but not users.
Policy Updates—RQL and Metadata
Azure Security Center contact phone number not set
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists'
With this change, new alerts will be generated.
Updated Recommendation—Includes the CLI command to create new contact with phone number.
 
AWS Inactive users for more than 30 days
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-credential-report' AND json.rule = 'user does not equal <root_account> and _DateTime.ageInDays(user_creation_time) > 30 and (password_last_used equals N/A or password_last_used equals no_information or _DateTime.ageInDays(password_last_used) > 30) and ((access_key_1_last_used_date equals N/A or _DateTime.ageInDays(access_key_1_last_used_date) > 30) and (access_key_2_last_used_date equals N/A or _DateTime.ageInDays(access_key_2_last_used_date) > 30))'
With this change, the policy will exclude root users who are inactive for more than 30 days. Alerts generated for root users will be resolved and reason being is POLICY UPDATED.
 
AWS CloudTrail bucket is publicly accessible
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = "((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false))))" as X; config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as Y; filter'$.X.bucketName equals $.Y.s3BucketName'; show X;
With this change, the policy checks for AWS S3 account level public block access setting and any open alerts for S3 buckets that are configured to block access at the account level will be resolved.
And the remediation CLI is removed, so this policy is no longer a 
Remediable
 policy that includes the automatic remediation for the violating resource.
 
 
 

REST API Updates

 
CHANGE
DESCRIPTION
Cloud Account APIs
A new, optional request query parameter 
skipStatusChecks
 enables you to skip account status checks to reduce the response time for the following APIs:
 
  • POST /cloud/{cloud_type}
 
  • PUT /cloud/{cloud_type}/{id}
 
IaC Scan V2 APIs
The response object for GET /iac/v2/scans/{scanId}/results includes a new attribute 
data.attributes.docUrl
, which provides a URL to policy documentation relevant to a violation the IaC scan identifies.

 

Rate this article:
0 Likes Likes
Register or Sign-in
Article Dashboard
Version history
Last update:
‎01-25-2021 03:13 PM
Updated by:
Contributors
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2021 - Palo Alto Networks