Prisma Cloud Release Notes For July 14, 2020

ENwankwo1 · ‎07-24-2020

Features Introduced on July 14, 2020

New Features

FEATURE	DESCRIPTION
Support for GCP Folders	When you add your GCP Organization to Prisma Cloud, you can now view all the projects or folders that are contained in the organization hierarchy and choose to add all the projects, or selectively include or exclude the projects and folders you want to monitor, or monitor and protect using Prisma Cloud.
Prisma Cloud as a PAYG Subscription on the AWS Marketplace	Prisma Cloud is available as an hourly PAYG subscription on the AWS Marketplace. With this new listing, you can use the Prisma Cloud Enterprise Edition license for the first 15 days as a free trial, and then you are billed based on hourly usage; there is no long-term contract required.
( Coming Soon ) Support Domain-based Message Authentication, Reporting & Conformance (DMARC)	Email notifications from Prisma Cloud will include the domain name to support Domain-based Message Authentication, Reporting & Conformance (DMARC), and the email address noreply@paloaltonetworks.com is being replaced with noreply@prismacloud.paloaltonetworks.com. To ensure that you continue to receive emails, please replace noreply@paloaltonetworks.com with noreply@prismacloud.paloaltonetworks.com in your approved sender list.
New Filters for Policies	The Policies page has three new filters for Category , Class , and Subtype . And the table view includes these filters as new columns. The Category filter enables you to separate incidents from risks and prioritize what you want to focus on based on your role. You can for example, use this filter to identify policies that identify incidents before policies that identify risky configurations. The Class filter logically groups policies. Use it to separate policies that affect your area of focus, and delegate as appropriate. The Subtype filter separates the various types of policies that pertain to each policy Type. For example, Anomaly policies are split into two subtypes—Network and UEBA.
Updates for Inclusive Language on Prisma Cloud	Prisma Cloud has updated all references to whitelist on the API and management console. Settings IP Whitelisting is renamed as Settings Trusted IP Addresses , where you can specify Trusted Alert IP Addresses (previously Login IP Whitelisting ) and Trusted Login IP Addresses (previously called Trusted IP Whitelisting) See Public REST API Updates also.
Exclusion of Trusted Sources in Anomaly Policies	To exclude trusted IP addresses that are internal or known, such as those you may use to conduct tests for PCI compliance or penetration testing on your network, you can now add these IP addresses in a CIDR format on the Trusted IP Address List on Settings Anomaly Settings . Any addresses included in this list do not generate alerts against the Prisma Cloud Anomaly policies that detect unusual network activity such as the policies that detect port scan and port sweep activity, unusual server and port activity and Spambot.
GCP Flow Logs Update	GCP flow logs are now be available for Prisma Cloud tenants deployed on https://app.prismacloud.io. You do not need to submit a special request to enable flow logs on your tenant.
Amazon SQS Integration Supports a Separate IAM Role	When integrating Prisma Cloud with Amazon SQS, you now have the flexibility to use a separate IAM role to enable alert notifications to SQS. If you use the CFT to onboard your AWS account and the SQS queue belongs to the same cloud account, the Prisma Cloud IAM Role policy has the permissions required for Amazon SQS. And, by default, Prisma Cloud accesses the SQS queue with these credentials. If this is not applicable for the SQS queue you are trying to integrate, when you add a new SQS integration, you can provide the IAM credentials (Access Key and Secret Key) associated with that role ( Settings Integrations ). The IAM user, whose security credentials (Access and Secret Keys) you provide must have sqs:SendMessage and sqs:SendMessageBatch permissions.
API Ingestion	AWS noCloudTrailFound attribute no longer ingested for aws-cloudtrail-describe-trails API. With this change, Prisma Cloud will no longer ingest the noCloudTrailFound attribute, for an AWS account that does not have CloudTrail enabled in a given region. If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved. GCP Google Compute Engine—gcloud-compute-project-info Google Dataproc Clusters —gcloud-dataproc-clusters-list For the gcloud-compute-api Prisma Cloud now includes labels assigned to your GCP project. You can use the tag attribute to find resources tagged with labels in config where RQL queries.
Saved Search Additions	Use the following Saved Search to easily create a policy and generate an alert if you want to check for: AWS IAM policy with unused permissions AutoFocus saved searches are consolidated by tag groups to detect malicious activities that are initiated from a internal source on your network or from an external source.
AutoFocus Updates —Change in threat source name in RQL and access the AutoFocus from the Prisma Cloud Console.	The AutoFocus threat intelligence feed was referred to as threat.source in ( AF) and that is now updated to be threat.source in ( AutoFocus) For example, the RQL should now be: network where dest.publicnetwork IN ('Suspicious IPs') AND threat.source IN ( 'AutoFocus' ) AND threat.tag.group = 'Cryptominer' Additionally, if you have an AutoFocus license, you can now click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the Investigate page.
Compliance Standards in Business Unit Reports	When generating the Business Unit report, you can now filter on one or more compliance standards to ensure that the report data is only for the alerts that are associated with policies which are tied to the selected compliance standards.
API Ingestion	APIs to ingest: Azure custom policy definitions at the subscription level. Azure Policy — azure-policy-definition Updated the JSON structure for the azure-storage-account-list API to display the total count of containers that are accessible publicly. In addition, the data ingested displays the name of the first 1000 containers in this list. noCloudTrailFound attribute no longer ingested for aws-cloudtrail-describe-trails API. If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved.
GCP Las Vegas Region Support	Prisma Cloud can now monitor resources deployed in the Las Vegas region. To review the list of supported regions, use the Cloud Region filter on the Asset Inventory .
Prisma Cloud Service for AWS China	Start using the Prisma Cloud tenant in China (https://app.prismacloud.cn) to connect to your AWS China accounts deployed in the Ningxia and Beijing regions.
Prisma Cloud Service in Singapore	Prisma Cloud is now available in the Singapore region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace.

New Policy and Policy Updates

POLICY NAME	DESCRIPTION
Alibaba Cloud RAM user with both console access and access keys	Identifies Resource Access Management (RAM) users who can access both the Alibaba Cloud management console and the API. As a best practice, limit access to what the user can do to and give permissions for console access or the API.
AWS policies that enable auto-remediation	The following policies are updated: AWS Customer Master Key (CMK) rotation is not enabled AWS EKS cluster endpoint access publicly enabled AWS RDS event subscription disabled for DB instance AWS EKS control plane logging disabled AWS Redshift clusters should not be publicly accessible AWS RDS database instance is publicly accessible AWS RDS minor upgrades not enabled AWS RDS instance without Automatic Backup setting The additional permissions required to enable auto-remediation for these policies are: "kms:EnableKeyRotation", "rds:ModifyEventSubscription", "eks:UpdateClusterConfig", "rds:ModifyDBInstance", "redshift:ModifyCluster"
Internet exposed instances	Updated the Internet exposed instances policy to identify AWS Cloud workloads that are exposed to the Internet. With this change, this policy now applies to AWS only.

Public REST API Updates

CHANGE	DESCRIPTION
Deprecated and replacement REST API endpoint paths	The REST endpoint paths in the following list are deprecated. A new endpoint replaces each deprecated endpoint. The deprecated endpoints will be removed in the near future: Deprecated: /ip_whitelist_login New: /ip_allow_list_login Deprecated: /ip_whitelist_login/{id} New: /ip_allow_list_login/{id} Deprecated: /ip_whitelist_login/status New: /ip_allow_list_login/status Deprecated: /ip_whitelist_login/tab New: /ip_allow_list_login/tab Deprecated: /whitelist/network New: /allow_list/network Deprecated: /whitelist/network/{networkUuid} New: /allow_list/network/{networkUuid} Deprecated: /whitelist/network/{networkUuid}/cidr New: /allow_list/network/{networkUuid}/cidr Deprecated: /whitelist/network/{networkUuid}/cidr/{cirdUuid} New: /allow_list/network/{networkUuid}/cidr/{cirdUuid} The x-redlock-status header values have been updated in a similar manner (e.g. login_ip_whitelist_missing_field is now login_ip_allow_list_missing_field ).
Cloud accounts and GCP Folders	There are additions to the cloud account REST APIs, including additions to the request parameters to on-board cloud accounts, to support the new feature Support for GCP Folders.
Anomalies Trusted List	There are new REST API endpoints to support the anomalies trusted list.
Amazon SQS integration	The REST API for Amazon SQS integration has some new but optional request parameters.
Policies	There are three new read-only attributes in the Policy and Policy View models (the latter is in the response to a List Policies request) to describe the hierarchy of a policy. New policy filters exist for these attributes.
Alerts	Requests to list alerts by policy (GET or POST /alert/policy) no longer include alert rules in the response object. Alert rules are available through requests for individual alert information.