on 07-24-2020 01:49 AM - edited on 10-12-2022 01:55 PM by RPrasadi
FEATURE
|
DESCRIPTION
|
---|---|
Support for GCP Folders
|
When you add your GCP Organization to Prisma Cloud, you can now view all the projects or folders that are contained in the organization hierarchy and choose to add all the projects, or selectively include or exclude the projects and folders you want to monitor, or monitor and protect using Prisma Cloud.
|
Prisma Cloud as a PAYG Subscription on the AWS Marketplace
|
Prisma Cloud is available as an hourly PAYG subscription on the AWS Marketplace. With this new listing, you can use the Prisma Cloud Enterprise Edition license for the first 15 days as a free trial, and then you are billed based on hourly usage; there is no long-term contract required.
|
(
Coming Soon
) Support Domain-based Message Authentication, Reporting & Conformance (DMARC) |
Email notifications from Prisma Cloud will include the domain name to support Domain-based Message Authentication, Reporting & Conformance (DMARC), and the email address noreply@paloaltonetworks.com is being replaced with noreply@prismacloud.paloaltonetworks.com.
To ensure that you continue to receive emails, please replace
noreply@paloaltonetworks.com
with
noreply@prismacloud.paloaltonetworks.com
in your approved sender list. |
New Filters for Policies
|
The
Policies
page has three new filters for
Category
,
Class
, and
Subtype
. And the table view includes these filters as new columns. The Category filter enables you to separate incidents from risks and prioritize what you want to focus on based on your role. You can for example, use this filter to identify policies that identify incidents before policies that identify risky configurations.
The Class filter logically groups policies. Use it to separate policies that affect your area of focus, and delegate as appropriate.
The Subtype filter separates the various types of policies that pertain to each policy Type. For example, Anomaly policies are split into two subtypes—Network and UEBA.
|
Updates for Inclusive Language on Prisma Cloud
|
Prisma Cloud has updated all references to whitelist on the API and management console.
Settings
IP Whitelisting
Settings
Trusted IP Addresses
Trusted Alert IP Addresses
(previously Login IP Whitelisting ) and
Trusted Login IP Addresses
(previously called Trusted IP Whitelisting)
See Public REST API Updates also.
|
Exclusion of Trusted Sources in Anomaly
|
To exclude trusted IP addresses that are internal or known, such as those you may use to conduct tests for PCI compliance or penetration testing on your network, you can now add these IP addresses in a CIDR format on the Trusted IP Address List on
Settings
Anomaly Settings
|
GCP Flow Logs Update
|
GCP flow logs are now be available for Prisma Cloud tenants deployed on https://app.prismacloud.io. You do not need to submit a special request to enable flow logs on your tenant.
|
Amazon SQS Integration Supports a Separate IAM Role
|
When integrating Prisma Cloud with Amazon SQS, you now have the flexibility to use a separate IAM role to enable alert notifications to SQS.
If you use the CFT to onboard your AWS account and the SQS queue belongs to the same cloud account, the Prisma Cloud IAM Role policy has the permissions required for Amazon SQS. And, by default, Prisma Cloud accesses the SQS queue with these credentials.
If this is not applicable for the SQS queue you are trying to integrate, when you add a new SQS integration, you can provide the IAM credentials (Access Key and Secret Key) associated with that role (
Settings
Integrations
The IAM user, whose security credentials (Access and Secret Keys) you provide must have
sqs:SendMessage
and
sqs:SendMessageBatch
permissions. |
API Ingestion
|
AWS
GCP
|
Saved Search Additions
|
Use the following Saved Search to easily create a policy and generate an alert if you want to check for:
|
AutoFocus Updates —Change in threat source name in RQL and access the AutoFocus from the Prisma Cloud Console.
|
The AutoFocus threat intelligence feed was referred to as
threat.source in ( AF)
and that is now updated to be
threat.source in ( AutoFocus)
network where dest.publicnetwork IN ('Suspicious IPs') AND threat.source IN ( 'AutoFocus' ) AND threat.tag.group = 'Cryptominer'
Additionally, if you have an AutoFocus license, you can now click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the
Investigate
page.
|
Compliance Standards in Business Unit Reports
|
When generating the Business Unit report, you can now filter on one or more compliance standards to ensure that the report data is only for the alerts that are associated with policies which are tied to the selected compliance standards.
|
API Ingestion
|
APIs to ingest:
|
GCP Las Vegas Region Support
|
Prisma Cloud can now monitor resources deployed in the Las Vegas region. To review the list of supported regions, use the Cloud Region filter on the Asset
Inventory
. |
Prisma Cloud Service for AWS China
|
Start using the Prisma Cloud tenant in China (https://app.prismacloud.cn) to connect to your AWS China accounts deployed in the Ningxia and Beijing regions.
|
Prisma Cloud Service in Singapore
|
Prisma Cloud is now available in the Singapore region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace.
|
POLICY NAME
|
DESCRIPTION
|
---|---|
Alibaba Cloud RAM user with both console access and access keys
|
Identifies Resource Access Management (RAM) users who can access both the Alibaba Cloud management console and the API. As a best practice, limit access to what the user can do to and give permissions for console access or the API.
|
AWS policies that enable auto-remediation
|
The following policies are updated:
The additional permissions required to enable auto-remediation for these policies are:
"kms:EnableKeyRotation", "rds:ModifyEventSubscription", "eks:UpdateClusterConfig", "rds:ModifyDBInstance", "redshift:ModifyCluster"
|
Internet exposed instances
|
Updated the
Internet exposed instances
policy to identify AWS Cloud workloads that are exposed to the Internet. With this change, this policy now applies to AWS only.
|
CHANGE
|
DESCRIPTION
|
---|---|
Deprecated and replacement REST API endpoint paths
|
The REST endpoint paths in the following list are deprecated. A new endpoint replaces each deprecated endpoint. The deprecated endpoints will be removed in the near future:
The x-redlock-status header values have been updated in a similar manner (e.g.
login_ip_whitelist_missing_field
is now
login_ip_allow_list_missing_field
). |
Cloud accounts and GCP Folders
|
There are additions to the cloud account REST APIs, including additions to the request parameters to on-board cloud accounts, to support the new feature Support for GCP Folders.
|
Anomalies Trusted List
|
There are new REST API endpoints to support the anomalies trusted list.
|
Amazon SQS integration
|
The REST API for Amazon SQS integration has some new but optional request parameters.
|
Policies
|
There are three new read-only attributes in the Policy and Policy View models (the latter is in the response to a List Policies request) to describe the hierarchy of a policy. New policy filters exist for these attributes.
|
Alerts
|
Requests to list alerts by policy (GET or POST /alert/policy) no longer include alert rules in the response object. Alert rules are available through requests for individual alert information.
|