Prisma Cloud Release Notes, Features Introduced in 20.12.1, December 2020
cancel
Showing results for 
Search instead for 
Did you mean: 
L3 Networker
Did you find this article helpful? Yes No
No ratings

 

New Features Introduced in 20.12.1

 

New Features

 
FEATURE
DESCRIPTION
Machine Learning Classification Improvements for Unusual User Activity / UEBA Policies
For better detection of anomalies, the machine learning model is being updated on Prisma Cloud. These changes are transparent to you.
 
For Excessive login failures, the detection window has been reduced from 1 hour to 15 minutes and the default threshold is set to 5 failed login events. Also, the model building thresholds have been reduced from 7 days and 4 events to 1 day and just 1 event to help you detect incidents sooner.
 
For generating alerts on Account hijacking attempts, the minimum distance between the two locations has to be at least 1000 miles within a 2-hour period.
 
For Unusual user activity, the unknown location alert will be generated only if the new location is at least 160 miles away, instead of 120 miles from any of the known locations in the model.
Malware Scan Status in Data Inventory
If you have enabled the Prisma Cloud Data Security subscription, you can review the malware scan status on the Data Inventory table on Inventory Data.
 
Two new columns display the time stamp of when Prisma Cloud received the verdict from the WildFire service, and the scan status to indicate whether the scan is in progress, failed, file type is not supported or too large, or confirmation if the object is malware or benign.
Read-Only Permission Group Update
Prisma Cloud administrators who are assigned to the read-only permission group can now save filters on the 
Asset Inventory and Compliance page.
API Ingestion
Azure Data Lake Analytics
azure-data-lake-analytics-account
Microsoft.DataLakeAnalytics/accounts/read
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/read
Microsoft.DataLakeAnalytics/accounts/firewallRules/read
Microsoft.DataLakeAnalytics/accounts/storageAccounts/read
Microsoft.Authorization/permissions/read
The Reader role includes these permissions, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
In addition to the permissions above, on each Azure Data Lake Analytics account you must assign the Prisma Cloud role to access catalog related information such as ACLs, databases, credentials, external data sources, so that it can ingest metadata. For details on how to enable permissions, see Set up your Azure subscription for Prisma Cloud.
 
Azure Data Lake Store (Gen 1)
azure-data-lake-store-gen1-account
Microsoft.DataLakeStore/accounts/read
Microsoft.DataLakeStore/accounts/firewallRules/read
Microsoft.DataLakeStore/accounts/virtualNetworkRules/read
Microsoft.DataLakeStore/accounts/trustedIdProviders/read
The Reader role includes these permissions, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
 
 
 

New Policy and Policy Updates

 
NEW POLICIES AND POLICY UPDATES
Policy Updates—RQL and Metadata
AWS Security Groups policies
These policies are renamed to remove the word 'internet' from the name and to leverage nested rules for RQL optimization:
 
  • AWS Security Groups allow internet traffic from internet to FTP-Data port (20)
 
  • AWS Security Groups allow internet traffic from internet to FTP port (21)
 
  • AWS Security Groups allow internet traffic to SSH port (22)
 
  • AWS Security Groups allow internet traffic from internet to Telnet port (23)
 
  • AWS Security Groups allow internet traffic from internet to SMTP port (25)
 
  • AWS Security Groups allow internet traffic from internet to DNS port (53)
 
  • AWS Security Groups allow internet traffic from internet to Windows RPC port (135)
 
  • AWS Security Groups allow internet traffic from internet to NetBIOS port (137)
 
  • AWS Security Groups allow internet traffic from internet to NetBIOS port (138)
 
  • AWS Security Groups allow internet traffic from internet to CIFS port (445)
 
  • AWS Security Groups allow internet traffic from internet to SQLServer port (1433)
 
  • AWS Security Groups allow internet traffic from internet to SQLServer port (1434)
 
  • AWS Security Groups allow internet traffic from internet to MYSQL port (3306)
 
  • AWS Security Groups allow internet traffic from internet to RDP port (3389)
 
  • AWS Security Groups allow internet traffic from internet to MSQL port (4333)
 
  • AWS Security Groups allow internet traffic from internet to PostgreSQL port (5432)
 
  • AWS Security Groups allow internet traffic from internet to VNC Listener port (5500)
 
  • AWS Security Groups allow internet traffic from internet to VNC Server port (5900)
 
Reason:
 
  • The word Internet is removed from the policy name and description.
 
  • The RQL grammar will be updated to use a nested array.
 
Impact
—There is no change in the number of alerts generated against these policies.
Azure Network Security Group policies
The following policies are mapped to the Azure CIS compliance benchmark, and the severity is being updated from Medium to High.
 
  • Azure Network Security Group having Inbound rule overly permissive to all traffic on TCP protocol
 
  • Azure Network Security Group having Inbound rule overly permissive to all traffic on UDP protocol
 
  • Azure Network Security Group having Inbound rule overly permissive to all traffic on any protocol
 
Reason
—The severity was updated because these policies check for overly permissive Azure network security group inbound rules from all open ports for TCP, UDP or any protocol.
Impact
— The compliance report may include additional alerts because three additional policies are mapped to Azure CIS compliance benchmark.
 
GCP Kubernetes Engine Clusters have HTTP load balancing disabled
 
Updated RQL
— The updated RQL is config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'addonsConfig.httpLoadBalancing.disabled equals true'
 
Impact
—Open alerts that are false positives will be resolved.
Custom Policy Modification
When you modify the RQL in a custom policy, you cannot change the cloud.type and the api.name, in the existing policy.
To revise either of these attributes, you must create a new custom policy and disable or delete the existing policy.
 
 
 

REST API Updates

 
CHANGE
DESCRIPTION
Infrastructure-As-Code (IaC) Scan API Version 2
A new IaC Scan API that returns scan result details in OASIS Static Analysis Results Interchange Format (SARIF) is available.

 

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last update:
‎01-25-2021 04:13 PM
Updated by:
Contributors