Prisma Cloud Release Notes; Features Introduced in 20.12.2, December 2020

Printer Friendly Page
Did you find this article helpful? Yes No
No ratings

 

New Features Introduced in 20.12.2

 

New Features

 
FEATURE
DESCRIPTION
Iac Scan Plugin Updates to support IaC Scan API v2
The IntelliJ andCircleCI plugins are updated to use the IaC Scan API v2.
The updates simplify the installation and set up workflows and the highlights are:
  • Payload limit increased from 1 MB to 300MB
 
  • With the exception of template-type and version, other template scan parameters are optional. With Terraform, the plugin detects root-modules automatically.
 
  • Terraform v.13 support
 
  • The scan result include a column for policy URL which is a link to more details on the policy that was a violation.
 
  • Twistcli updates to support HTTP Proxy for environments that are placed behind a web proxy server.
 
  • DevOps Inventory dashboard to view and filter IaC scan results on Prisma Cloud.
 
API Ingestion
AWS Data Migration Service
aws-dms-certificate
The Security Audit role includes the required permissions.
 
AWS Direct Connect
aws-direct-connect-connection
The Security Audit role includes the required permissions.
 
Azure Virtual Network
azure-ddos-protection-plan
Additional permissions required are:
Microsoft.Network/ddosProtectionPlans/read
The Reader role includes the permission, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
 
 
Google Compute Engine
gcloud-compute-instance-disk-snapshot
Additional permissions required are:
compute.snapshots.list
compute.snapshots.getIamPolicy
The Compute Network Viewer includes these permissions.
 
 
Google Cloud Source Repositories
gcloud-cloud-source-repository
source.repos.list
source.repos.getIamPolicy
The Project Viewer role and the Source Repository Reader role includes these permissions.
 
 
 
 

Updates to Existing Behavior

 
FEATURE WITH BEHAVIOR CHANGE
DESCRIPTION
Alerts on Prisma Cloud
To reduce noise from alerts for accounts that are not actively monitored using Prisma Cloud, when you add a cloud account on Prisma Cloud and then disable it, you can no longer view existing alerts associated with the disabled account on Alerts Overview on Prisma Cloud.
Previously, on disabling an account, the alert status—Open, Snoozed, Dismissed, or Resolved—was retained to indicate the last known state and the Alerts Overview count included these alerts.
 
 

New Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
 
NEW POLICIES AND POLICY UPDATES
New Policies
Azure app services remote debugging is enabled
Identifies Azure App Services that have remote debugging enabled, which opens up inbound ports on App Services and increases security risk.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = config.remoteDebuggingEnabled is true
Azure virtual machine boot diagnostics disabled
Identifies Azure Virtual Machines with boot diagnostics disabled. Boot diagnostics capture screenshots and console output at the virtual machine startup, and this helps with troubleshooting the virtual machine if it enters a non-bootable state.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.diagnosticsProfile'].bootDiagnostics.enabled is false
Azure virtual machine scale sets boot diagnostics disabled
Identifies Azure Virtual Machine scale sets with boot diagnostics disabled. When boot diagnostics is enabled for the virtual machine, it captures screenshot and console output during the virtual machine startup and helps with troubleshooting the virtual machine if it enters a non-bootable state.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-virtual-machine-scale-set' AND json.rule = properties.virtualMachineProfile.diagnosticsProfile.bootDiagnostics.enabled is false
Policy Updates—RQL and Metadata
Alibaba Cloud MFA is disabled for RAM user
The RQL has been updated to check for MFA device value to report disabled MFA users.
config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ram-user' AND json.rule = 'MFADevice is empty'
Impact
: Previous alerts will get resolved as Policy_Updated and new alerts will be generated using the revised query.
Alibaba Cloud Security group overly permissive to all traffic
The Policy Name and Description have been updated. The policy checks for inbound rules that allow traffic from (0.0.0.0/0) any IP address.
Impact
: This change does not affect alerts.
Azure storage account logging for queues is disabled
Updated RQL
—The updated RQL is
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = 'sku.tier equals Standard and loggingProperties.queue exists and (loggingProperties.queue.readEnabled is false or loggingProperties.queue.writeEnabled is false or loggingProperties.queue.deleteEnabled is false)'
The RQL has been updated to properly identify Azure Blob Storage accounts.
Impact
: This RQL fix resolves previously opened alerts and marks them as Policy_Updated.
Azure storage account logging for tables is disabled
Updated RQL
—The updated RQL is
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = 'sku.tier equals Standard and (loggingProperties.table.readEnabled is false or loggingProperties.table.writeEnabled is false or loggingProperties.table.deleteEnabled is false)'
The RQL has been updated to properly identify Azure Blob Storage accounts.
Impact
: This RQL fix resolves previously opened alerts and marks them as Policy_Updated.
Policy Updates—Recommendation
AWS Elastic File System (EFS) with encryption for data at rest is disabled
The recommendation instructions in the policy is updated to replace RedShift with AWS Elastic File System (EFS).
 
 
 

Rest API Updates

 
CHANGE
DESCRIPTION
Update
 Rate limiting on List Alert APIs
Prisma Cloud will now enforce rate limiting on the following APIs:
 
  • GET /v2/alert
 
  • POST /v2/alert
 
The limit is one request per second for a client session. Excess of the limit will result in an HTTP 429 error code.
Impact
—While most clients will not see any effect, if you're using automation, please plan to insert delay and retry logic to work with the new rate limits.

 

Tags (2)
Register or Sign-in
Version history
Last update:
a week ago
Updated by:
Contributors