|Automated Remediation CLI for Multi-Step Tasks||In a Prisma Cloud custom policy, you can now define up to 5 CLI commands in a sequence for an automatic remediation workflow such as disassociating an EC2 instance from a security group before deleting the EC2 instance. To resolve an alert, you can separate each command with a semi-colon, and the sequence is executed in the order defined in policy. If an automated remediation CLI command fails, the execution stops at that command.|
Event RQL Attribute for Anomaly Policy
The event where query enables you to identify and investigate events relating to the different types of anomalies such as bruteforce login attempts or location-based anomalies using the attribute anomaly.type.
For example, event where anomaly.type IN ( 'Activity-based Anomaly (UBA)', 'Bruteforce Login', 'Device finger print (Account Hijacking)', 'Impossible time travel (Account Hijacking)', 'Location & Activity-based Anomaly (UBA)', 'Location-based Anomaly (UBA)' )
You also have the option to look for anomalous activities with the has.anomaly</font or exclude them with NOT has.anomaly attributes.
|Support for AWS GovCloud (East)||Prisma Cloud can now ingest configuration data, cloud trail and VPC flow logs from AWS GovCloud (East) region in addition to the current support for AWS GovCloud (West) region.|
|Permission Updates for AWS CFTs||The permission in the AWS read-only and read-write CFTs for AWS public cloud and AWS GovCloud are updated to include ec2:describeRegions. With this update Prisma Cloud can get data on the AWS cloud accounts for all enabled regions.|
|Rename—Azure Security Center policy update.||The policy Automatic provisioning of monitoring agent is set to Off in Security Center is renamed as Azure Security Center automatic provisioning of monitoring agent is set to Off. And the RQL is updated to use api.name = 'azure-security-center-settings'.|
|Update —AWS Amazon Machine Image (AMI) is publicly accessible||The policy AWS Amazon Machine Image (AMI) is publicly accessible is updated to find every public AMI owned by the account. These AMIs are now ingested, in addition to the AMIs that are private or shared with the account being monitored on Prisma Cloud.|
|AWS EMR cluster is not configured with security configuration||Identifies Amazon EMR clusters that do not use security configurations to configure data encryption, Kerberos authentication, and Amazon S3 authorization for EMRFS.|
|AWS EMR cluster is not configured with Kerberos authentication.||Identifies AWS EMR clusters that are not configured with Kerberos authentication.|
|AWS EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)||Identifies EMR clusters which are not configured with Server Side Encryption Kerberos Managed Keys (SSE KMS) for data at rest encryption of Amazon S3 with EMRFS.|
|AWS EMR cluster is not configured with CSE CMK for data at rest encryption (Amazon S3 with EMRFS).||Identifies EMR clusters which are not configured with Client Side Encryption Customer Master Keys (CSE CMK) for data at rest encryption of Amazon S3 with EMRFS.|
|AWS EMR cluster is not enabled with local disk encryption using CMK.||Identifies AWS EMR clusters which are not enabled with local disk encryption using Customer Managed Key (CMK) to protect digital data confidentiality.|
|AWS EMR cluster is not enabled with local disk encryption.||Identifies AWS EMR clusters that are not enabled for encrypting data stored on the local disk to protect digital data confidentiality.|
|AWS EMR clusters are not enabled with encryption in transit.||Identifies AWS EMR clusters which are not enabled with encryption in transit, to protect data from unauthorized access as it travels through the network, between clients and storage servers.|
|AWS EMR clusters are not enabled with encryption at rest.||Identifies AWS EMR clusters that are not enabled with encryption at rest to protect digital data confidentiality.|
For more information, please review Features Introduced in December.