Prisma Cloud Release Notes, Features Introduced in 20.9.1, September, 2020

Printer Friendly Page
Did you find this article helpful? Yes No
No ratings

 

Features Introduced in 20.9.1

 

 

 

New Features
 
 
 
 
 
 
 
 
 
 
 
FEATURE
DESCRIPTION
Support for AWS Organizations on Prisma Cloud
If you use AWS Organizations to centrally govern and manage access to services and resources on AWS, you can now add the AWS Organization to Prisma Cloud. When you add the AWS Organization, all the member accounts included within the hierarchy will be onboarded to Prisma Cloud in one streamlined workflow.
 

 

Consolidation of Unusual User Activity / UEBA Anomaly Settings
The Unusual User Activity / UEBA settings are now on 
Settings
Anomaly Settings
 along with the Anomaly settings for policies that alert you to network-related incidents.
 

 

You can now set the thresholds for machine learning—number of days and events—and alert disposition—what vectors to use for identifying unusual —for the policies that detect usual user activity and the account hijacking attempts.
Expanded Support for Roles with Just-in-Time (JIT) Provisioning
If you use JIT provisioning to create administrative users on Prisma Cloud, when a user whose profile is mapped with multiple roles on the IdP logs in for the first time on Prisma Cloud, that user is provisioned with multiple roles on Prisma Cloud.
The number of roles supported with JIT provisioning has increased from one to five, and the first one is assigned as the default role on Prisma Cloud. On each subsequent log in, the roles are evaluated again and the access permissions are adjusted locally according to the roles assigned to the user on the IdP.
Rich Text Editor in Email Notification Template
Use the rich text editor to customize the message body in your email notification template on 
Alerts
Notification Templates
. And as you craft it, you can preview how the content will look on the right-hand pane.
 

 

Limited GA
 Prisma Cloud Data Security
Prisma Cloud introduces the Prisma Cloud Data Security capabilities as a Limited GA for selected Prisma Cloud Enterprise Edition customers. With Prisma Cloud Data Security, you can protect data stored on AWS S3 buckets and gain visibility on the scan results directly in the Prisma Cloud dashboard. The data security capabilities include predefined data policies and associated data classification profiles such as PII, Financial, or Healthcare & Intellectual Property that scan your objects stored in the S3 bucket to identify exposure—how sensitive information is kept private, or exposed or shared externally, or allows unauthorized access. It also uses the WildFire service to detect known and unknown malware in these objects.
 

 

API Ingestion
AWS
AWS Elastic Map Reduce—
aws-emr-public-access-block
Additional permissions required:
elasticmapreduce:GetBlockPublicAccessConfiguration
Azure
 
  • Azure Event Hubs—
    azure-event-hubs-namespace
 
  • Azure Logic Apps—
    azure-logic-apps-workflow
 
GCP
 
  • Google Compute— 
    gcloud-compute-image
    Additional permissions required:
    compute.images.list
    compute.images.getIamPolicy
 
  • Google PubSub—
     
  • gcloud-pubsub-topic
    Additional permissions required:
    pubsub.topics.getIamPolicy
    pubsub.topics.list
  •  
  • gcloud-pubsub-subscription
    Additional permissions required:
    pubsub.subscriptions.getIamPolicy
    pubsub.subscriptions.list
  •  
  • gcloud-pubsub-snapshot
    Additional permissions required:
    pubsub.snapshots.getIamPolicy
    pubsub.snapshots.list
  •  
 
New Policy and Policy Updates
See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
POLICY NAME
DESCRIPTION
Saved Search Additions
The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:
 
  • GCP IAM user with overly permissive privileges
 
  • GCP IAM user not used for the last 90 days
 
  • AWS IAM policy not configured with fine-grained access control, such as such as IP address, Time Of Day, and MFA restrictions
 
Policy Updates- Metadata
Policy Name Update
Current Name—
Azure Security Center 'Also send email notification to subscription owners' value is not set
New Name—
Azure Security Center email notification for subscription owner is not set
Policy Updates—RQL
The RQL in the following policies are updated:
AWS Security Groups allow internet traffic to SSH port (22)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic from internet to Windows RPC port (135)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic from internet to NetBIOS port (138)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic from internet to MSQL port (4333)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic from internet to RDP port (3389)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic from internet to Telnet port (23)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic from internet to VNC Listener port (5500)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic from internet to SQLServer port (1434)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic from internet to CIFS port (445)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic to ports which are not commonly used
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = \"(isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipv6Ranges[*].cidrIpv6 contains ::/0) or (isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipRanges[*] contains 0.0.0.0/0)\"
 
AWS Security Groups allow internet traffic from internet to SQLServer port (1433)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS Security Groups allow internet traffic from internet to NetBIOS port (137)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
 
AWS IAM policy allows full administrative privileges
Updated RQL—The RQL has been updated toexclude AdministratorAccess policies in AWS GovCloud accounts. With this change, open alerts for AWS GovCloud resources that were incorrectly identified will be resolved.
config where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = \"document.Statement[?(@.Resource=='*' )].Action equals * and document.Statement[*].Effect equals Allow and policyArn exists and policyArn does not contain iam::aws:policy\/AdministratorAccess\"
 
AWS EKS cluster security group overly permissive to all traffic
Updated RQL—The RQL has been updated to exclude security groups across accounts. With this change, duplicate alerts for shared security groups on EKS clusters will be resolved.
config where cloud.type = 'aws' AND api.name = 'aws-eks-describe-cluster' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId and ($.Y.ipPermissions[*].ipv4Ranges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[*].ipv6Ranges[*] contains ::/0) and $.Y.isShared is false'; show Y;
 
AWS RDS instance with copy tags to snapshots disabled
Updated RQL—The RQL has been updated to exclude the Aurora database. With this change, any open alerts for the Aurora database will be resolved.
config where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
 
Azure SQL Database with Auditing Retention less than 90 days
Updated the description, recommendation, and RQL.
Updated RQL—
config where api.name = 'azure-sql-db-list' as X; config where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X;
REST API Updates
 
 
 
 
 
 
 
CHANGE
DESCRIPTION
Cloud Accounts
The REST API now support AWS organizations. The following have new request body parameters for this support:
 
  • POST /cloud/{cloud_type}
 
  • PUT /cloud/{cloud_type}
 
  • POST /cloud/status/{cloud_type}
 
Policies
The response object for the REST API request 
GET /v2/policy
 had included an unused field 
openAlertsCount
. The response object for 
GET /v2/policy
 no longer includes this field. The issue ID is RLP-23362.
Version history
Revision #:
1 of 1
Last update:
‎09-30-2020 01:25 AM
Updated by:
 
Contributors