Prisma Cloud Release Notes For July 14, 2020

Printer Friendly Page
Features Introduced on July 14, 2020
New Features
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FEATURE
DESCRIPTION
Support for GCP Folders
When you add your GCP Organization to Prisma Cloud, you can now view all the projects or folders that are contained in the organization hierarchy and choose to add all the projects, or selectively include or exclude the projects and folders you want to monitor, or monitor and protect using Prisma Cloud.
 

 

Prisma Cloud as a PAYG Subscription on the AWS Marketplace
Prisma Cloud is available as an hourly PAYG subscription on the AWS Marketplace. With this new listing, you can use the Prisma Cloud Enterprise Edition license for the first 15 days as a free trial, and then you are billed based on hourly usage; there is no long-term contract required.
(
Coming Soon
) Support Domain-based Message Authentication, Reporting & Conformance (DMARC)
Email notifications from Prisma Cloud will include the domain name to support Domain-based Message Authentication, Reporting & Conformance (DMARC), and the email address noreply@paloaltonetworks.com is being replaced with noreply@prismacloud.paloaltonetworks.com.
To ensure that you continue to receive emails, please replace 
noreply@paloaltonetworks.com
 with 
noreply@prismacloud.paloaltonetworks.com
 in your approved sender list.
New Filters for Policies
The 
Policies
 page has three new filters for 
Category
Class
, and 
Subtype
. And the table view includes these filters as new columns. 
The Category filter enables you to separate incidents from risks and prioritize what you want to focus on based on your role. You can for example, use this filter to identify policies that identify incidents before policies that identify risky configurations.
The Class filter logically groups policies. Use it to separate policies that affect your area of focus, and delegate as appropriate.
The Subtype filter separates the various types of policies that pertain to each policy Type. For example, Anomaly policies are split into two subtypes—Network and UEBA.
 

 

Updates for Inclusive Language on Prisma Cloud
Prisma Cloud has updated all references to whitelist on the API and management console. 
Settings
IP Whitelisting
 is renamed as 
Settings
Trusted IP Addresses
, where you can specify 
Trusted Alert IP Addresses
 (previously Login IP Whitelisting ) and 
Trusted Login IP Addresses
 (previously called Trusted IP Whitelisting)
 

 

Exclusion of Trusted Sources in Anomaly
Policies 
To exclude trusted IP addresses that are internal or known, such as those you may use to conduct tests for PCI compliance or penetration testing on your network, you can now add these IP addresses in a CIDR format on the Trusted IP Address List on 
Settings
Anomaly Settings
. Any addresses included in this list do not generate alerts against the Prisma Cloud Anomaly policies that detect unusual network activity such as the policies that detect port scan and port sweep activity, unusual server and port activity and Spambot.
 

 

GCP Flow Logs Update
GCP flow logs are now be available for Prisma Cloud tenants deployed on https://app.prismacloud.io. You do not need to submit a special request to enable flow logs on your tenant.
Amazon SQS Integration Supports a Separate IAM Role
When integrating Prisma Cloud with Amazon SQS, you now have the flexibility to use a separate IAM role to enable alert notifications to SQS.
If you use the CFT to onboard your AWS account and the SQS queue belongs to the same cloud account, the Prisma Cloud IAM Role policy has the permissions required for Amazon SQS. And, by default, Prisma Cloud accesses the SQS queue with these credentials. 
If this is not applicable for the SQS queue you are trying to integrate, when you add a new SQS integration, you can provide the IAM credentials (Access Key and Secret Key) associated with that role (
Settings
Integrations
).
 

 

The IAM user, whose security credentials (Access and Secret Keys) you provide must have 
sqs:SendMessage
 and 
sqs:SendMessageBatch
 permissions. 
API Ingestion
AWS
 
  • noCloudTrailFound
     attribute no longer ingested for aws-cloudtrail-describe-trails API.
    With this change, Prisma Cloud will no longer ingest the 
    noCloudTrailFound
     attribute, for an AWS account that does not have CloudTrail enabled in a given region. If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved.
 
GCP
 
  • Google Compute Engine—gcloud-compute-project-info
 
  • Google Dataproc Clusters —gcloud-dataproc-clusters-list 
 
  • For the 
    gcloud-compute-api
     Prisma Cloud now includes labels assigned to your GCP project. You can use the tag attribute to find resources tagged with labels in 
    config where
     RQL queries.
 
Saved Search Additions
Use the following Saved Search to easily create a policy and generate an alert if you want to check for:
 
  • AWS IAM policy with unused permissions
 
  • AutoFocus saved searches are consolidated by tag groups to detect malicious activities that are initiated from a internal source on your network or from an external source.
     

     

 
AutoFocus Updates —Change in threat source name in RQL and access the AutoFocus from the Prisma Cloud Console.
The AutoFocus threat intelligence feed was referred to as 
threat.source in ( AF)
 and that is now updated to be 
threat.source in ( AutoFocus) 
For example, the RQL should now be: 
network where dest.publicnetwork IN ('Suspicious IPs') AND threat.source IN ( 'AutoFocus' ) AND threat.tag.group = 'Cryptominer'
Additionally, if you have an AutoFocus license, you can now click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the 
Investigate
 page.
 

 

Compliance Standards in Business Unit Reports
When generating the Business Unit report, you can now filter on one or more compliance standards to ensure that the report data is only for the alerts that are associated with policies which are tied to the selected compliance standards.
API Ingestion
APIs to ingest:
 
  • Azure custom policy definitions at the subscription level. Azure Policy —
     azure-policy-definition
 
  • Updated the JSON structure for the 
    azure-storage-account-list
     API to display the total count of containers that are accessible publicly. In addition, the data ingested displays the name of the first 1000 containers in this list.
 
  • noCloudTrailFound
     attribute no longer ingested for aws-cloudtrail-describe-trails API.
    If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved.
 
GCP Las Vegas Region Support
Prisma Cloud can now monitor resources deployed in the Las Vegas region. To review the list of supported regions, use the Cloud Region filter on the Asset 
Inventory
.
Prisma Cloud Service for AWS China
Start using the Prisma Cloud tenant in China (https://app.prismacloud.cn) to connect to your AWS China accounts deployed in the Ningxia and Beijing regions.
Prisma Cloud Service in Singapore
Prisma Cloud is now available in the Singapore region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace. 
New Policy and Policy Updates
 
 
 
 
 
 
 
 
POLICY NAME
DESCRIPTION
Alibaba Cloud RAM user with both console access and access keys
Identifies Resource Access Management (RAM) users who can access both the Alibaba Cloud management console and the API. As a best practice, limit access to what the user can do to and give permissions for console access or the API.
AWS policies that enable auto-remediation
The following policies are updated:
 
  • AWS Customer Master Key (CMK) rotation is not enabled
 
  • AWS EKS cluster endpoint access publicly enabled
 
  • AWS RDS event subscription disabled for DB instance
 
  • AWS EKS control plane logging disabled
 
  • AWS Redshift clusters should not be publicly accessible
 
  • AWS RDS database instance is publicly accessible
 
  • AWS RDS minor upgrades not enabled
 
  • AWS RDS instance without Automatic Backup setting
 
The additional permissions required to enable auto-remediation for these policies are: 
"kms:EnableKeyRotation", "rds:ModifyEventSubscription", "eks:UpdateClusterConfig", "rds:ModifyDBInstance", "redshift:ModifyCluster"
Internet exposed instances
Updated the 
Internet exposed instances
 policy to identify AWS Cloud workloads that are exposed to the Internet. 
With this change, this policy now applies to AWS only.
Public REST API Updates
 
 
 
 
 
 
 
 
 
 
 
CHANGE
DESCRIPTION
Deprecated and replacement REST API endpoint paths
The REST endpoint paths in the following list are deprecated. A new endpoint replaces each deprecated endpoint. The deprecated endpoints will be removed in the near future:
 
  • Deprecated: /ip_whitelist_login
    New: /ip_allow_list_login
 
  • Deprecated: /ip_whitelist_login/{id}
    New: /ip_allow_list_login/{id}
 
  • Deprecated: /ip_whitelist_login/status
    New: /ip_allow_list_login/status
 
  • Deprecated: /ip_whitelist_login/tab
    New: /ip_allow_list_login/tab
 
  • Deprecated: /whitelist/network
    New: /allow_list/network
 
  • Deprecated: /whitelist/network/{networkUuid}
    New: /allow_list/network/{networkUuid}
 
  • Deprecated: /whitelist/network/{networkUuid}/cidr
    New: /allow_list/network/{networkUuid}/cidr
 
  • Deprecated: /whitelist/network/{networkUuid}/cidr/{cirdUuid}
    New: /allow_list/network/{networkUuid}/cidr/{cirdUuid}
 
The x-redlock-status header values have been updated in a similar manner (e.g. 
login_ip_whitelist_missing_field
 is now 
login_ip_allow_list_missing_field
).
Cloud accounts and GCP Folders
There are additions to the cloud account REST APIs, including additions to the request parameters to on-board cloud accounts, to support the new feature Support for GCP Folders.
Anomalies Trusted List
There are new REST API endpoints to support the anomalies trusted list.
Amazon SQS integration
The REST API for Amazon SQS integration has some new but optional request parameters.
Policies
There are three new read-only attributes in the Policy and Policy View models (the latter is in the response to a List Policies request) to describe the hierarchy of a policy. New policy filters exist for these attributes.
Alerts
Requests to list alerts by policy (GET or POST /alert/policy) no longer include alert rules in the response object. Alert rules are available through requests for individual alert information.
Ask Questions Get Answers Join the Live Community
Version history
Revision #:
2 of 2
Last update:
3 weeks ago
Updated by:
 
Contributors