Features Introduced on January 31, 2020
New Features
| FEATURE | DESCRIPTION |
| Coverage for the Personal Information Protection and Electronics Document Act Standard | Prisma Cloud adds support for the Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian federal privacy law that protects the rights and privacy of consumers. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. The coverage for this compliance standard is available across AWS, Azure, and GCP. |
| Notification Template Updates and Event Management Support for ServiceNow |
Prisma Cloud now adds support for the Event Management module, the default reporting table on ServiceNow.
Along with this enhancement, the ServiceNow integration includes the following usability improvements:
|
| More Policies for NIST CSF Compliance |
Prisma Cloud now has increased policy coverage for the NIST Cyber Security Framework v1.1 on Azure and GCP to bring the count to over 30 policies on each of these cloud platforms.
|
| Set Function in RQL to Compare or Combine Lists and Find a Value |
The _Set function enables you to compare or combine the values in lists (on the Left Hand Side and Right Hand Side) using the properties of union or intersection, and identify whether a specific value or comma separated list of values are included within that result set.
The methods supported are _Set.intersection and _Set.union, and you can use the boolean operator intersects to verify whether the values you want to look for are included in the result, or if the result set contains the specified value(s).
For example, to detect Internet exposed instances with a public IP address and firewall rule with 0.0.0.0/0 and destination has a specific target tag:
config where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains 0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and $.Y.disabled contains false'; show X; |
| RQL Function to find a specific address or subnet within a CIDR |
In an RQL Config query, you can now use the _IPAddress.inCIDRRange to find whether a specific IPv4 or IPv6 address or subnet is a part of a specific CIDR block or supernetwork.
For example: config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[].ipv4Ranges[].cidrIp,106.51.77.60/24) is true' or config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true’ |
| Auto remediation on GCP Storage Buckets with gsutil |
If you would like to enable auto remediation on all GCP Storage buckets, you can use gsutil from the command line. Support for gsutil allows you to limit excessive permissions for specific sets of IAM users or to restrict buckets from being open to the internet.
The gsutil command is supported only for GCP Storage policies with API name gcloud-storage-buckets-list along with gcloud. For example: gcloud iam --project=${account} list-grantable-roles;gsutil versioning set off gs://${resourceName}; |
| Alert Notification Emails with Attachments |
You can now send alerts instantly or schedule them as recurring batched jobs to any email address, and not only to Prisma Cloud administrators. The email recipients receive a complete list of all open alerts, as scheduled. In the email, you can opt to include the remediation information for the policies that triggered the alerts, attach the alert details as a CSV file, or as a compressed zip file. An email can have up to 10 attachments with 9 MB total size limit. The uncompressed CSV file can have 900 rows per attachment, while the compressed zip file limit is 95000 rows per attachment.  Prisma Cloud Alerts with CSV |
| API Ingestion Update |
Azure azure-sql-server-list API is modified to ingest JSON metadata on the server encryption protector type such as ServiceManaged or AzureKeyVault.
AWS Some of the new APIs require additional permissions. To ingest the resources that require these permissions, you must update the CFT.
|
| Deprecated APIs |
GCP Prisma Cloud no longer ingests the following APIs:
|
| Saved Search Addition for Azure VMs |
Azure VM endpoint protection extension is not installed helps you identify VMs that do not have endpoint protection enabled. You can edit the json.rule = Extensions.*.virtualMachineExtensionType is empty OR Extensions.*.virtualMachineExtensionType is not member of attribute in the RQL to add the endpoint protection extensions which are approved by your organization. |
Policy Updates and New Policies
| POLICY | DESCRIPTION |
| Azure Storage Account Policies updates to RQL |
The RQL associated with the following policies that detect Azure Storage Account analytics have been revised to exclude Azure Premium Storage:
|
| New Azure Policies for Activity Logs |
The following new policies are added to identify changes in activity alert logs, which you can use to detect suspicious activity more easily.
|
For more information, please review the new features in the Prisma Cloud January 31, 2020 Release Notes in TechDocs.
