on 01-25-2021 04:09 PM - edited on 02-04-2022 01:20 PM by RPrasadi
FEATURE
|
DESCRIPTION
|
---|---|
Machine Learning Classification Improvements for Unusual User Activity / UEBA Policies
|
For better detection of anomalies, the machine learning model is being updated on Prisma Cloud. These changes are transparent to you.
For Excessive login failures, the detection window has been reduced from 1 hour to 15 minutes and the default threshold is set to 5 failed login events. Also, the model building thresholds have been reduced from 7 days and 4 events to 1 day and just 1 event to help you detect incidents sooner.
For generating alerts on Account hijacking attempts, the minimum distance between the two locations has to be at least 1000 miles within a 2-hour period.
For Unusual user activity, the unknown location alert will be generated only if the new location is at least 160 miles away, instead of 120 miles from any of the known locations in the model.
|
Malware Scan Status in Data Inventory
|
If you have enabled the Prisma Cloud Data Security subscription, you can review the malware scan status on the Data Inventory table on Inventory Data.
Two new columns display the time stamp of when Prisma Cloud received the verdict from the WildFire service, and the scan status to indicate whether the scan is in progress, failed, file type is not supported or too large, or confirmation if the object is malware or benign.
|
Read-Only Permission Group Update
|
Prisma Cloud administrators who are assigned to the read-only permission group can now save filters on the
Asset Inventory and Compliance page.
|
API Ingestion
|
Azure Data Lake Analytics
azure-data-lake-analytics-account
Microsoft.DataLakeAnalytics/accounts/read
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/read
Microsoft.DataLakeAnalytics/accounts/firewallRules/read
Microsoft.DataLakeAnalytics/accounts/storageAccounts/read
Microsoft.Authorization/permissions/read
The Reader role includes these permissions, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
In addition to the permissions above, on each Azure Data Lake Analytics account you must assign the Prisma Cloud role to access catalog related information such as ACLs, databases, credentials, external data sources, so that it can ingest metadata. For details on how to enable permissions, see Set up your Azure subscription for Prisma Cloud.
|
|
Azure Data Lake Store (Gen 1)
azure-data-lake-store-gen1-account
Microsoft.DataLakeStore/accounts/read
Microsoft.DataLakeStore/accounts/firewallRules/read
Microsoft.DataLakeStore/accounts/virtualNetworkRules/read
Microsoft.DataLakeStore/accounts/trustedIdProviders/read
The Reader role includes these permissions, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
|
NEW POLICIES AND POLICY UPDATES
|
|
---|---|
Policy Updates—RQL and Metadata
|
AWS Security Groups policies
These policies are renamed to remove the word 'internet' from the name and to leverage nested rules for RQL optimization:
Reason:
Impact
—There is no change in the number of alerts generated against these policies. |
Azure Network Security Group policies
Reason
—The severity was updated because these policies check for overly permissive Azure network security group inbound rules from all open ports for TCP, UDP or any protocol.Impact
— The compliance report may include additional alerts because three additional policies are mapped to Azure CIS compliance benchmark. |
|
|
GCP Kubernetes Engine Clusters have HTTP load balancing disabled
Updated RQL
— The updated RQL is config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'addonsConfig.httpLoadBalancing.disabled equals true'Impact
—Open alerts that are false positives will be resolved. |
Custom Policy Modification
|
When you modify the RQL in a custom policy, you cannot change the cloud.type and the api.name, in the existing policy.
To revise either of these attributes, you must create a new custom policy and disable or delete the existing policy.
|
CHANGE
|
DESCRIPTION
|
---|---|
Infrastructure-As-Code (IaC) Scan API Version 2
|
A new IaC Scan API that returns scan result details in OASIS Static Analysis Results Interchange Format (SARIF) is available.
|