Prisma Cloud Release Notes, Features Introduced in 20.9.2, September, 2020

Printer Friendly Page
Did you find this article helpful? Yes No
No ratings

 

Features Introduced in 20.9.2

 

 

 

New Features
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FEATURE
DESCRIPTION
License Credits Used for Non-Onboarded Cloud Accounts
If you have deployed Prisma Cloud Defenders on environments that Prisma Cloud is not monitoring or protecting—such as private cloud or on-premises environments, or public cloud providers that are not supported on Prisma Cloud, or on accounts that you have not added to Prisma Cloud— you can now view the credits used to protect the associated resources on the 
Licensing
page.
 

 

GCP Cloud Account Onboarding Status Updates
When you add your GCP account on Prisma Cloud, the status message is improved to inform you of missing permissions. The details in the message help you identify the additional permissions you need to grant to the GCP IAM service account for Prisma Cloud.
 

 

Nested Rules in Config RQL to Query Data Within JSON Arrays
Nested rules extend the use of logical expressions for metadata contained within a JSON array so that you can use more than primitive operators for comparisons and a richer query format. With this enhancement, the auto completion for 
json.rule =
 also becomes available when you construct RQL.
The enhancement allows you to rewrite RQL that was
config where api.name='a' and json.rule = “$.path[?(@.x == true || @.y == 'str' ..)].val is false
as
config where api.name='a' and json.rule="$.path[?any[<logical expression>]] exists | does not exist"
As an example, if you used:
config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = "acl.grants[?(@.grantee.typeIdentifier=='id')].grantee.identifier size > 0"
you can now rewrite it as:
config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = acl.grants[?any(grantee.typeIdentifier equals id and grantee.identifier is not empty)] exists
And some more examples:
config where api.name = 'aws-ec2-describe-network-acls' AND json.rule = entries[?any(egress is true and ruleAction contains deny)] exists or tags[?any(value contains production)] exists or tags[*] is empty
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissionsEgress[?any( toPort greater than 22 and ipv4Ranges[?any( cidrIp does not contain "0.0" )] exists )] exists
, where you can check when 
toPort
 and 
cidrIp
 are included within the same array element.
Policy Descriptor
A human readable unique policy identifier is added to Prisma Cloud Default policies of type Config, Audit event and Network. See the new 
Policy Descriptor
 column on the 
Policies
 page. This unique descriptor is an additional field, and it does not replace the existing Policy ID that is available when you use the REST API.
 

 

Support for Audit Event Logs on AWS China and Azure China
Prisma Cloud tenants deployed on AWS China and Azure China regions, can now ingest events recorded in audit logs from your cloud environments. With this data, you can use 
event where
 RQL queries and see alerts for policies that match on audit events to identify compliance, and operational risks across your infrastructure.
API Ingestion
AWS Transit Gateway
aws-vpc-transit-gateway
Additional permissions required:
ec2:DescribeTransitGateways
The permission is included with the SecurityAudit predefined role.
AWS Database Migration Service
aws-dms-endpoint
Additional permissions required:
dms:DescribeEndpoints
dms:ListTagsForResource
The permissions are included with the SecurityAudit predefined role.
Updated
 AWS Elasticbeanstalk
aws-elasticbeanstalk-configuration-settings
Additional permissions required: 
s3:GetObject 
for the resources on:
 
  • AWS commercial
    arn:aws:s3:::elasticbeanstalk-*/*"
 
  • AWS GovCloud and Fedramp
    arn:aws-us-gov:s3:::elasticbeanstalk-*/*
 
  • AWS China
    arn:aws-cn:s3:::elasticbeanstalk-*/*
 
The CFTs are updated to include a new policy for 
PrismaCloud-IAM-ReadOnly-Policy-ElasticBeanstalk
Azure Compute
azure-disk-list
Azure Logic Apps
azure-logic-app-custom-connector
Additional permissions required:
Microsoft.Web/customApis/read
If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json.
Azure Resource Manager
azure-role-assignment
Azure Virtual Network
azure-network-public-ip-address
Additional permissions required:
Microsoft.Network/publicIPAddresses/read
If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json.
Google Cloud Bigtable
gcloud-bigtable-table
Additional permissions required:
bigtable.tables.list
bigtable.tables.getIamPolicy
These permissions are included in the predefined Project Viewer role.
Google Access Context Manager
gcloud-access-policy
Additional permissions required:
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessLevels.list
accesscontextmanager.servicePerimeters.list
These permissions are already part of the Project Viewer role. Alternatively, you can use the predefined role 
Access Context Manager Reader
.
Google Compute Engine
gcloud-compute-route
Additional permissions required:
compute.routes.list
These permissions are included in the predefined Project Viewer role.
Terraform Script Updates
If you are using the Terraform scripts that Prisma Cloud provides for onboarding a new GCP account on Prisma Cloud, the scripts are updated to enable additional GCP APIs and to include new permissions that are not included in the predefined Viewer role.
Permissions added:
storage.buckets.getIamPolicy
pubsub.topics.getIamPolicy
pubsub.subscriptions.getIamPolicy
pubsub.snapshots.getIamPolicy
bigquery.tables.get
bigquery.tables.list
GCP APIs additionally enabled by default:
accesscontextmanager.googleapis.com
pubsub.googleapis.com
run.googleapis.com
appengine.googleapis.com
serviceusage.googleapis.com
bigtableadmin.googleapis.com
dataproc.googleapis.com
recommender.googleapis.com
cloudfunctions.googleapis.com
redis.googleapis.com
Permission Updates on AWS CloudFormation Templates for Prisma Cloud Compute Workloads
The AWS CFTs now have additional permissions added to ingest data on Compute workloads deployed within AWS cloud accounts that are onboarded to Prisma Cloud.
PrismaCloud-ReadOnly-Policy-Compute
 role—CFT used for Monitor mode, includes additional permissions associated with this new role to enable monitoring of resources that are onboarded for Prisma Cloud Compute.
PrismaCloud-Remediation-Policy-Compute
 role—CFT used for Monitor & Protect mode, includes additional permissions associated with this new role to enable read-write access for monitoring and remediating resources that are onboarded for Prisma Cloud Compute.
 
  • If you do not use the host, serverless functions, and container capabilities enabled with Prisma Cloud Compute, for AWS accounts onboarded to Prisma Cloud, you can remove these roles from the CFT.
 
  • Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. And the cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for monitor, or monitor and protect modes.
 
New Policy and Policy Updates
See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
POLICY NAME
DESCRIPTION
New Policies
AWS S3 Buckets Block public access setting disabled
—Identifies AWS S3 buckets with the 
Block public access
 setting disabled. Enabling 
Block public access
 on publicly accessible S3 buckets enables you to ensure that data is never accidentally or maliciously exposed publicly.
This policy includes the CLI for automated remediation, when you provide the permissions required.
Saved Search Additions
The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:
 
  • AWS IAM user/role/policy has unused permissions in the last 90 days_RL
 
  • AWS S3 bucket having policy overly permissive to VPC endpoints
 
  • AWS IAM role with cross-account access_RL
 
Policy Updates—RQL and Metadata
The RQL in the following policies are updated:
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on TCP protocol
Policy Name Updated—
Azure Network Security Group (NSG) with Inbound rule overly permissive to 'Internet' source service tag on TCP protocol
Updated RQL—The RQL has been updated to handle the traffic on protocol 'tcp' and 'any'(*) properly. With this change this policy will alert on inbound traffic using TCP.
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule="securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='Tcp' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound OR securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='*' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound"
 
Azure Network Security Group allows SQL Server (UDP Port 1434)
Policy Name Updated—
Azure Network Security Group allowing SQLServer (UDP Port 1434) traffic from 'any' source or with 'Internet' source service tag
Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy.
config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434)"
 
Azure Network Security Group (NSG) allows SSH traffic from internet on port 22
Policy Name Updated—
Azure Network Security Group (NSG) allows SSH traffic from 'internet' source service tag on port 22
Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy.
config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22)"
 
Azure Network Security Group allows ICMP (Ping)
Updated RQL—The RQL has been updated to handle ICMP pings from both Source 'Any' and 'Internet' service tag.
This change affects the number of alerts generated against this policy.
config where api.name= 'azure-network-nsg-list' AND json.rule = " securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * "
 
AWS Default Security Group does not restrict all traffic
Updated RQL and the Recommendation instructions—The RQL is now modified to handle all the default Security groups having inbound/outbound rules irrespective of public/private IPrange attached to it.
This change affects the number of alerts generated against this policy.
config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((groupName == default) and (ipPermissions[*] is not empty or ipPermissionsEgress[*] is not empty))'
 
AWS S3 buckets are accessible to public
Updated Remediation: The remediation has been removed because the RQL update requires pipelined multiline execution of CLI command, which is currently not supported on Prisma Cloud. With this change, this policy no longer 
Remediable
 from Prisma Cloud.
Updated RQL—The RQL has been updated to check for S3 account level block access (
aws-s3control-public-access-block
) setting and to verify when the account level block access setting is not modified. With this change, any inaccurately generated alerts will get resolved.
"config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = \"((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false)))) and websiteConfiguration does not exist\""
Policy Deletions
The following policies are being removed from Prisma Cloud:
AWS SQS does not have a dead letter queue configured
Any open alerts generated against this policy will be resolved and marked 
Policy Deleted
.
REST API Updates
 
 
 
 
 
 
 
 
CHANGE
DESCRIPTION
Infrastructure-As-Code (IaC) Scan Service
A new set of APIs enables you to interact with the Prisma Cloud IaC scan service to scan templates to check against policies asynchronously. The new APIs are:
 
  • POST /scans
 
  • POST /scans/{scanId}
 
  • GET /scans/{scanId}/status
 
  • GET /scans/{scanId}/results
 
User Role
The response object for the following APIs include a new property 
additionalAttributes.hasDefenderPermissions
:
 
  • GET /user/role
 
  • GET /user/role/{id}
 
The request body parameters for the following APIs also include additionalAttributes.hasDefenderPermissions as a new parameter:
 
  • POST /user/role
 
  • PUT /user/role/{id}
 
Policy
The response object for GET /filter/policy/suggest includes a new filter suggestion 
policy.class
.
Version history
Revision #:
1 of 1
Last update:
‎09-30-2020 01:28 AM
Updated by:
 
Contributors