Prisma Cloud Articles

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Featured Article
Prisma Cloud Product and Customer Success: Webinar Recordings   Date Topic Details Oct. 2020   I ntroducing Prisma Cloud Compute 20.09, the latest update to our Cloud Workload Protection Platform. Join the Compute PM team (Aqsa Taylor, Avi Shulman, Hari Srinivasan, Tomer Spivak, and Pradnesh Patil) as they present a hands-on demo of the new features we’ve added in the latest major release, such as cluster aware radar, git repo scanning, enhanced host security, and Compute SaaS integration in Prisma Cloud Enterprise Edition. Sep. 2020 Learn about what is new in the upcoming Prisma Cloud Compute Release - Enhanced cluster awareness across the product, more integrated Cloud Account onboarding process between Compute and the Prisma Cloud platform, our first step in securing packages prior to build time with GIT repository scanning, an enhanced look to our Host security and our new and improved application firewall capability, transitioning CNAF into WAAS (Web Application and API Security). Aug. 2020  Learn about the recent releases and the product roadmap July 2020  Autofocus Integration (Network Security) & Micro-secementation Jun. 2020 Brief  preview of upcoming  Data Security module and Q&A about Data security May  2020 Learn about the recent releases and the roadmap Apr. 2020 For developers & DevOps: tools to use natively in their IDE, Git and CICD environments; and Prisma Cloud - Compute integration features Mar. 2020 Malware — Investigate and Remediate Feb. 2020 Malware — Incident and Impact Jan. 2020 Upcoming New Features in Prisma Cloud Dec. 2019 Prisma Cloud + TwistLock Integration Nov. 2019 Learning to manage alerts Oct. 2019 Learning to use RQL  
View full article
Wednesday
5,512 Views
0 Replies
2 Likes
Features Introduced in 20.10.1   New Features New Policy and Policy Updates REST API Updates New Features                           FEATURE DESCRIPTION Role-Based Authentication on Amazon SQS Integration When   integrating   Prisma Cloud with Amazon SQS, you now have the flexibility to specify an IAM Role to enable alert notifications to SQS. If you use Assume Role for cross-account access to AWS resources, you can provide the Role ARN and External ID associated with the IAM Role on Prisma Cloud.     Support for CIS v1.1.0 on GCP and CIS v1.3.0 on AWS The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in the benchmark as outlined in v1.1.0 on GCP and v1.3.0 on AWS. For example, requirements and sections are updated on GCP to add support for BigQuery, IAM, and AWS adds IAM, SNS, S3. Refer to the CIS benchmarks for details on all the services that are in scope for the update.     Trusted Source Exclusion for UEBA Anomaly Policies To exclude internal or external IP addresses, such as addresses that belong to system administrators or those you use for testing access to new instances or services, you can now add in a CIDR format on   Settings Anomaly Settings Anomaly Trusted List . Any addresses included in this list will not generate alerts against the specified Prisma Cloud Anomaly Policies.     If you had previously specified these IP addresses on   Settings Trusted IP Addresses Trusted Alert IP Addresses , use this enhancement to delete the existing configuration and re-add the addresses to the Anomaly Trusted List. When you add the   CIDR block   to the   Anomaly Trusted List   you can specify a specific cloud account or VPC with which the addresses are associated. API Ingestion AWS Glue aws-glue-connection Additional permissions required: Permission: glue:GetConnection Azure Virtual Network is updated to include information on   loadBalancerBackendAddressPools   for: azure-network-lb-list azure-network-nic-list Azure Event Hub azure-event-hub Additional permissions required: "Microsoft.EventHub/namespaces/eventhubs/read" "Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read" If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Google Cloud Spanner gcloud-cloud-spanner-instance Additional permissions required: spanner.instances.list These permissions are included in the predefined Project Viewer role. Update   Risk Rating is Removed Prisma Cloud has removed Risk rating from the following places:   On   Dashboard SecOps , the   Risk Rating By Scanned Accounts   widget.   On the   Cloud Security Assessment   report, the Scanned Resources by Risk Rating chart.   On   Alerts Overview , the filter for Risk Grade.   In the   Rating   column on the Alerts details page.   Rating   column in the .csv file, when you download alerts or receive an attachment as a scheduled alert email.   The deprecation notice was published starting 20.8.2. New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                     POLICY NAME DESCRIPTION New Policies GCP SQL database is assigned with public IP —Identifies GCP SQL databases that are assigned a public IP address, which increases application latency and network risks. GCP VM instance with the external IP address —Identifies VM instances that are accessible using an external or public IP address. To reduce your attack surface, VM instances should not have public/external IP address and should be configured behind load balancers, to minimize the risks associated with direct exposure to the internet. GCP VM instance with Shielded VM features disabled —Identifies VM instances on which the Shielded VM features are disabled. Shielded VMs are VMs on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits. GCP SQL database instance is not configured with automated backups —Identifies the GCP SQL database instances that are not configured with automated backups to protect against loss or damage. AWS Network ACLs allow ingress traffic to server administration ports —Identifies AWS Network Access Control List (NACL) that include rules to allow ingress traffic on server administration ports. Policy Updates—RQL and Metadata The following policies are updated: Azure disk is unattached and not encrypted Policy Name Updated— Azure disk is unattached and is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' AND json.rule = '(managedBy does not exist or managedBy is empty) and (encryptionSettings does not exist or encryptionSettings.enabled is false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are unattached and not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].   Azure Data disk is not encrypted Policy Name Updated— Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType does not exist and managedBy exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].   Azure disk for VM operating system is not encrypted at rest using ADE Policy Name Updated— Azure VM OS disk is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK].   SQL Instances do not have SSL configured Updated RQL—The RQL has been updated to config where cloud.type = 'gcp' AND api.name='gcloud-sql-instances-list' and json.rule = "(settings.ipConfiguration.requireSsl is true and _DateTime.ageInDays(serverCaCert.expirationTime) > -1) or not (settings.ipConfiguration.requireSsl is true)" With this change, the policy identifies SQL instances with expired SSL certificates in addition to instances on which SSL is not enabled. REST API Updates                   CHANGE DESCRIPTION Update   Deprecated Prisma Cloud Public REST APIs for IP Allow List have been removed The following APIs have been removed:   GET /whitelist/network   POST /whitelist/network   GET /whitelist/network/{uuid}   PUT /whitelist/network/{uuid}   POST /whitelist/network/{uuid}/cidr   PUT /whitelist/network/{uuid}/cidr/{cidrUuid}   DELETE /whitelist/network/{uuid}/cidr/{cidrUuid}   GET /ip_whitelist_login   POST /ip_whitelist_login   GET /ip_whitelist_login/{id}   PUT /ip_whitelist_login/{id}   DELETE /ip_whitelist_login/{id}   GET /ip_whitelist_login/status   PATCH /ip_whitelist_login/status   GET /ip_whitelist_login/tab   Update   Deprecated Prisma Cloud Public REST API fields for Enterprise Settings have been removed The enterprise settings model fields   anomalyTrainingModelThreshold   and   anomalyAlertDisposition   have been removed. These fields are no longer in:   The response object for   GET /settings/enterprise   The request body parameters for   POST /settings/enterprise   Amazon SQS integration The request body for the Prisma Cloud APIs to add, update, or test an Amazon SQS integration includes two new parameters for IAM role support. The new parameters are:   integrationConfig.roleArn   integrationConfig.externalId   The APIs that include these new request body parameters are:   POST /integration/test   POST /integration   PUT /integration/{id}   Resource RRN The object model for the Prisma Cloud Restricted Resource Name (RRN) includes a new read-only property   idmapId . The response object for each of the following APIs includes this new property:   GET /resource   GET /resource/raw  
View full article
Sunday
60 Views
0 Replies
  Features Introduced in 20.9.2       New Features New Policy and Policy Updates REST API Updates New Features                                             FEATURE DESCRIPTION License Credits Used for Non-Onboarded Cloud Accounts If you have deployed Prisma Cloud Defenders on environments that Prisma Cloud is not monitoring or protecting—such as private cloud or on-premises environments, or public cloud providers that are not supported on Prisma Cloud, or on accounts that you have not added to Prisma Cloud— you can now view the credits used to protect the associated resources on the   Licensing page.     GCP Cloud Account Onboarding Status Updates When you add your GCP account on Prisma Cloud, the status message is improved to inform you of missing permissions. The details in the message help you identify the additional permissions you need to grant to the GCP IAM service account for Prisma Cloud.     Nested Rules in Config RQL to Query Data Within JSON Arrays Nested rules extend the use of logical expressions for metadata contained within a JSON array so that you can use more than primitive operators for comparisons and a richer query format. With this enhancement, the auto completion for   json.rule =   also becomes available when you construct RQL. The enhancement allows you to rewrite RQL that was config where api.name= 'a' and json.rule = “$.path[?(@.x == true || @.y == 'str' ..)].val is false ” as config where api.name= 'a' and json.rule= "$.path[?any[<logical expression>]] exists | does not exist" As an example, if you used: config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = "acl.grants[?(@.grantee.typeIdentifier=='id')].grantee.identifier size > 0" you can now rewrite it as: config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = acl.grants[?any(grantee.typeIdentifier equals id and grantee.identifier is not empty )] exists And some more examples: config where api.name = 'aws-ec2-describe-network-acls' AND json.rule = entries[?any(egress is true and ruleAction contains deny)] exists or tags[?any(value contains production)] exists or tags[*] is empty config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissionsEgress[?any( toPort greater than 22 and ipv4Ranges[?any( cidrIp does not contain "0.0" )] exists )] exists , where you can check when   toPort   and   cidrIp   are included within the same array element. Policy Descriptor A human readable unique policy identifier is added to Prisma Cloud Default policies of type Config, Audit event and Network. See the new   Policy Descriptor   column on the   Policies   page. This unique descriptor is an additional field, and it does not replace the existing Policy ID that is available when you use the REST API.     Support for Audit Event Logs on AWS China and Azure China Prisma Cloud tenants deployed on AWS China and Azure China regions, can now ingest events recorded in audit logs from your cloud environments. With this data, you can use   event where   RQL queries and see alerts for policies that match on audit events to identify compliance, and operational risks across your infrastructure. API Ingestion AWS Transit Gateway — aws-vpc-transit-gateway Additional permissions required: ec2:DescribeTransitGateways The permission is included with the SecurityAudit predefined role. AWS Database Migration Service — aws-dms-endpoint Additional permissions required: dms:DescribeEndpoints dms:ListTagsForResource The permissions are included with the SecurityAudit predefined role. Updated   AWS Elasticbeanstalk — aws-elasticbeanstalk-configuration-settings Additional permissions required:   s3:GetObject   for the resources on:   AWS commercial arn:aws:s3:::elasticbeanstalk-*/*"   AWS GovCloud and Fedramp arn:aws-us-gov:s3:::elasticbeanstalk-*/*   AWS China arn:aws-cn:s3:::elasticbeanstalk-*/*   The CFTs are updated to include a new policy for   PrismaCloud-IAM-ReadOnly-Policy-ElasticBeanstalk Azure Compute — azure-disk-list Azure Logic Apps — azure-logic-app-custom-connector Additional permissions required: Microsoft.Web/customApis/read If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Azure Resource Manager — azure-role-assignment Azure Virtual Network — azure-network-public-ip-address Additional permissions required: Microsoft.Network/publicIPAddresses/read If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Google Cloud Bigtable — gcloud-bigtable-table Additional permissions required: bigtable.tables.list bigtable.tables.getIamPolicy These permissions are included in the predefined Project Viewer role. Google Access Context Manager — gcloud-access-policy Additional permissions required: accesscontextmanager.accessPolicies.list accesscontextmanager.accessLevels.list accesscontextmanager.servicePerimeters.list These permissions are already part of the Project Viewer role. Alternatively, you can use the predefined role   Access Context Manager Reader . Google Compute Engine — gcloud-compute-route Additional permissions required: compute.routes.list These permissions are included in the predefined Project Viewer role. Terraform Script Updates If you are using the Terraform scripts that Prisma Cloud provides for onboarding a new GCP account on Prisma Cloud, the scripts are updated to enable additional GCP APIs and to include new permissions that are not included in the predefined Viewer role. Permissions added: storage.buckets.getIamPolicy pubsub.topics.getIamPolicy pubsub.subscriptions.getIamPolicy pubsub.snapshots.getIamPolicy bigquery.tables.get bigquery.tables.list GCP APIs additionally enabled by default: accesscontextmanager.googleapis.com pubsub.googleapis.com run.googleapis.com appengine.googleapis.com serviceusage.googleapis.com bigtableadmin.googleapis.com dataproc.googleapis.com recommender.googleapis.com cloudfunctions.googleapis.com redis.googleapis.com Permission Updates on AWS CloudFormation Templates for Prisma Cloud Compute Workloads The AWS CFTs now have additional permissions added to ingest data on Compute workloads deployed within AWS cloud accounts that are onboarded to Prisma Cloud. PrismaCloud-ReadOnly-Policy-Compute   role—CFT used for Monitor mode, includes additional permissions associated with this new role to enable monitoring of resources that are onboarded for Prisma Cloud Compute. PrismaCloud-Remediation-Policy-Compute   role—CFT used for Monitor & Protect mode, includes additional permissions associated with this new role to enable read-write access for monitoring and remediating resources that are onboarded for Prisma Cloud Compute.   If you do not use the host, serverless functions, and container capabilities enabled with Prisma Cloud Compute, for AWS accounts onboarded to Prisma Cloud, you can remove these roles from the CFT.   Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. And the cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for monitor, or monitor and protect modes.   New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                             POLICY NAME DESCRIPTION New Policies AWS S3 Buckets Block public access setting disabled —Identifies AWS S3 buckets with the   Block public access   setting disabled. Enabling   Block public access   on publicly accessible S3 buckets enables you to ensure that data is never accidentally or maliciously exposed publicly. This policy includes the CLI for automated remediation, when you provide the permissions required. Saved Search Additions The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:   AWS IAM user/role/policy has unused permissions in the last 90 days_RL   AWS S3 bucket having policy overly permissive to VPC endpoints   AWS IAM role with cross-account access_RL   Policy Updates—RQL and Metadata The RQL in the following policies are updated: Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on TCP protocol Policy Name Updated— Azure Network Security Group (NSG) with Inbound rule overly permissive to 'Internet' source service tag on TCP protocol Updated RQL—The RQL has been updated to handle the traffic on protocol 'tcp' and 'any'(*) properly. With this change this policy will alert on inbound traffic using TCP. config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule="securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='Tcp' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound OR securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='*' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound"   Azure Network Security Group allows SQL Server (UDP Port 1434) Policy Name Updated— Azure Network Security Group allowing SQLServer (UDP Port 1434) traffic from 'any' source or with 'Internet' source service tag Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434)"   Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 Policy Name Updated— Azure Network Security Group (NSG) allows SSH traffic from 'internet' source service tag on port 22 Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22)"   Azure Network Security Group allows ICMP (Ping) Updated RQL—The RQL has been updated to handle ICMP pings from both Source 'Any' and 'Internet' service tag. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = " securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * "   AWS Default Security Group does not restrict all traffic Updated RQL and the Recommendation instructions—The RQL is now modified to handle all the default Security groups having inbound/outbound rules irrespective of public/private IPrange attached to it. This change affects the number of alerts generated against this policy. config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((groupName == default) and (ipPermissions[*] is not empty or ipPermissionsEgress[*] is not empty))'   AWS S3 buckets are accessible to public Updated Remediation: The remediation has been removed because the RQL update requires pipelined multiline execution of CLI command, which is currently not supported on Prisma Cloud. With this change, this policy no longer   Remediable   from Prisma Cloud. Updated RQL—The RQL has been updated to check for S3 account level block access ( aws-s3control-public-access-block ) setting and to verify when the account level block access setting is not modified. With this change, any inaccurately generated alerts will get resolved. "config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = \"((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false)))) and websiteConfiguration does not exist\"" Policy Deletions The following policies are being removed from Prisma Cloud: AWS SQS does not have a dead letter queue configured Any open alerts generated against this policy will be resolved and marked   Policy Deleted . REST API Updates                 CHANGE DESCRIPTION Infrastructure-As-Code (IaC) Scan Service A new set of APIs enables you to interact with the Prisma Cloud IaC scan service to scan templates to check against policies asynchronously. The new APIs are:   POST /scans   POST /scans/{scanId}   GET /scans/{scanId}/status   GET /scans/{scanId}/results   User Role The response object for the following APIs include a new property   additionalAttributes.hasDefenderPermissions :   GET /user/role   GET /user/role/{id}   The request body parameters for the following APIs also include additionalAttributes.hasDefenderPermissions as a new parameter:   POST /user/role   PUT /user/role/{id}   Policy The response object for GET /filter/policy/suggest includes a new filter suggestion   policy.class .
View full article
3 weeks ago
174 Views
0 Replies
  Features Introduced in 20.9.1       New Features New Policy and Policy Updates REST API Updates New Features                       FEATURE DESCRIPTION Support for AWS Organizations on Prisma Cloud If you use AWS Organizations to centrally govern and manage access to services and resources on AWS, you can now add the AWS Organization to Prisma Cloud. When you   add the AWS Organization, all the member accounts included within the hierarchy will be onboarded to Prisma Cloud in one streamlined workflow.     Consolidation of Unusual User Activity / UEBA Anomaly Settings The   Unusual User Activity / UEBA settings   are now on   Settings Anomaly Settings   along with the Anomaly settings for policies that alert you to network-related incidents.     You can now set the thresholds for machine learning—number of days and events—and alert disposition—what vectors to use for identifying unusual —for the policies that detect usual user activity and the account hijacking attempts. Expanded Support for Roles with Just-in-Time (JIT) Provisioning If you use JIT provisioning to   create administrative users   on Prisma Cloud, when a user whose profile is mapped with multiple roles on the IdP logs in for the first time on Prisma Cloud, that user is provisioned with multiple roles on Prisma Cloud. The number of roles supported with JIT provisioning has increased from one to five, and the first one is assigned as the default role on Prisma Cloud. On each subsequent log in, the roles are evaluated again and the access permissions are adjusted locally according to the roles assigned to the user on the IdP. Rich Text Editor in Email Notification Template Use the rich text editor to customize the message body in your   email notification   template on   Alerts Notification Templates . And as you craft it, you can preview how the content will look on the right-hand pane.     Limited GA   Prisma Cloud Data Security Prisma Cloud introduces the Prisma Cloud Data Security capabilities as a Limited GA for selected Prisma Cloud Enterprise Edition customers. With Prisma Cloud Data Security, you can protect data stored on AWS S3 buckets and gain visibility on the scan results directly in the Prisma Cloud dashboard. The data security capabilities include predefined data policies and associated data classification profiles such as PII, Financial, or Healthcare & Intellectual Property that scan your objects stored in the S3 bucket to identify exposure—how sensitive information is kept private, or exposed or shared externally, or allows unauthorized access. It also uses the WildFire service to detect known and unknown malware in these objects.     API Ingestion AWS AWS Elastic Map Reduce— aws-emr-public-access-block Additional permissions required: elasticmapreduce:GetBlockPublicAccessConfiguration Azure   Azure Event Hubs— azure-event-hubs-namespace   Azure Logic Apps— azure-logic-apps-workflow   GCP   Google Compute—   gcloud-compute-image Additional permissions required: compute.images.list compute.images.getIamPolicy   Google PubSub—   gcloud-pubsub-topic Additional permissions required: pubsub.topics.getIamPolicy pubsub.topics.list   gcloud-pubsub-subscription Additional permissions required: pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list   gcloud-pubsub-snapshot Additional permissions required: pubsub.snapshots.getIamPolicy pubsub.snapshots.list     New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                                               POLICY NAME DESCRIPTION Saved Search Additions The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:   GCP IAM user with overly permissive privileges   GCP IAM user not used for the last 90 days   AWS IAM policy not configured with fine-grained access control, such as such as IP address, Time Of Day, and MFA restrictions   Policy Updates- Metadata Policy Name Update Current Name— Azure Security Center 'Also send email notification to subscription owners' value is not set New Name— Azure Security Center email notification for subscription owner is not set Policy Updates—RQL The RQL in the following policies are updated: AWS Security Groups allow internet traffic to SSH port (22) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to Windows RPC port (135) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to NetBIOS port (138) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to MSQL port (4333) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to RDP port (3389) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to Telnet port (23) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to VNC Listener port (5500) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to SQLServer port (1434) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to CIFS port (445) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic to ports which are not commonly used Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = \"(isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipv6Ranges[*].cidrIpv6 contains ::/0) or (isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipRanges[*] contains 0.0.0.0/0)\"   AWS Security Groups allow internet traffic from internet to SQLServer port (1433) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to NetBIOS port (137) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS IAM policy allows full administrative privileges Updated RQL—The RQL has been updated toexclude AdministratorAccess policies in AWS GovCloud accounts. With this change, open alerts for AWS GovCloud resources that were incorrectly identified will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = \"document.Statement[?(@.Resource=='*' )].Action equals * and document.Statement[*].Effect equals Allow and policyArn exists and policyArn does not contain iam::aws:policy\/AdministratorAccess\"   AWS EKS cluster security group overly permissive to all traffic Updated RQL—The RQL has been updated to exclude security groups across accounts. With this change, duplicate alerts for shared security groups on EKS clusters will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-eks-describe-cluster' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId and ($.Y.ipPermissions[*].ipv4Ranges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[*].ipv6Ranges[*] contains ::/0) and $.Y.isShared is false'; show Y;   AWS RDS instance with copy tags to snapshots disabled Updated RQL—The RQL has been updated to exclude the Aurora database. With this change, any open alerts for the Aurora database will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'   Azure SQL Database with Auditing Retention less than 90 days Updated the description, recommendation, and RQL. Updated RQL— config where api.name = 'azure-sql-db-list' as X; config where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X; REST API Updates               CHANGE DESCRIPTION Cloud Accounts The REST API now support AWS organizations. The following have new request body parameters for this support:   POST /cloud/{cloud_type}   PUT /cloud/{cloud_type}   POST /cloud/status/{cloud_type}   Policies The response object for the REST API request   GET /v2/policy   had included an unused field   openAlertsCount . The response object for   GET /v2/policy   no longer includes this field. The issue ID is RLP-23362.
View full article
3 weeks ago
144 Views
0 Replies
Office Hours with Product: New Features in Prisma Cloud — host, containers & serverless security   Recording available from the Dec. 2019 customer webinar. Click here to view the recording.
View full article
‎09-03-2020 06:29 AM
941 Views
0 Replies
1 Like
Features Introduced in 20.8.1 New Features New Policy and Policy Updates REST API Updates New Features                 FEATURE DESCRIPTION Notification Template Enhancement To easily modify and reuse an existing notification template on Prisma Cloud, you can clone a notification template for Email, Jira, or ServiceNow.     Limited GA Onboard your Azure Active Directory Account on Prisma Cloud Onboard Azure Active Directory (Azure AD) and ingest your Azure AD user information   on Prisma Cloud   to   Investigate   user activity. When the data is ingested, use the RQL   config where cloud.type = 'azure' AND api.name = 'azure-active-directory-user' AND json.rule = userType equals "Guest"     API Ingestion Azure Azure Cache— azure-redis-cache Azure Compute— azure-virtual-machine-scale-set GCP GCP Compute Engine— gcloud-compute-nat The additional permission required is compute.routers.list New Policy and Policy Updates There are no policy updates in this release. See   Look Ahead—Planned Updates on Prisma Cloud. REST API Updates             CHANGE DESCRIPTION Notification Templates   A new API, POST /notification/template/clone/{id}, enables you to clone an existing notification template.   The possible options for field “description” for both ServiceNow and Jira notification template field configurations have been expanded to include:   ResourceTags   Status   FirstSeen   LastSeen   Reason   You can see these options in the response object for the following APIs:   GET /template/servicenow/{integrationId}/types   GET /template/servicenow/{interationid}/{type}/fields   GET /template/fields/jira/{integrationid}/{project}/{issueType}    
View full article
‎09-01-2020 01:37 PM
299 Views
0 Replies
To continue providing a consistent and integrated experience across all our products, we’ve released a unified UX for Prisma ™  Cloud:   The URLs to access Prisma Cloud have changed: While we recommend you update your URLs, redirects are in place to minimize interruption of ongoing workflows and automation scripts. Previous Access URL Updated Access URL app.redlock.io app.prismacloud.io app2.redlock.io app2.prismacloud.io app3.redlock.io app3.prismacloud.io app.anz.redlock.io app.anz.prismacloud.io app.eu.redlock.io app.eu.prismacloud.io app.gov.redlock.io app.gov.prismacloud.io Previous API URL Updated API URL api.redlock.io api.prismacloud.io api2.redlock.io api2.prismacloud.io api3.redlock.io api3.prismacloud.io api.anz.redlock.io api.anz.prismacloud.io api.eu.redlock.io api.eu.prismacloud.io api.gov.redlock.io api.gov.prismacloud.io   Change in authentication for non-SSO users We’ve integrated with the Palo Alto Networks login service, so if you’re currently not using a third-party identity provider for single sign-on (SSO), you only need one set of credentials to access all your products, services, support, and collateral. This   will not   affect anyone currently using third-party SSO to access the Prisma Cloud application. However,   this change does affect non-SSO users   who access it directly with a username and password. We’ve exchanged local credential access as well as the "forgot" and "change password" processes for a more robust login flow. Non-SSO users will now need to log in via the Palo Alto Networks login page: The Prisma Cloud application will redirect you to the Palo Alto Networks login page. After authentication, all single-tenant users will be redirected to the application. If you have multiple tenants within the same region, you’ll be redirected to the Palo Alto Networks Hub, which will let you choose which tenant to log in to If you haven’t set up an account yet, you’ll be able to do so by clicking “Forgot Password?” on the new sign-in page.   If you’re currently using username and password for automation purposes via our APIs, please refer to the section below on "API Access Keys."    The Palo Alto Networks Hub The hub shows all the products you’re authorized to use in an easy-to-navigate dashboard to give you better visibility of your overall security posture. API Access Keys We have implemented API access keys, providing system administrators the ability to grant or revoke users’ access key permissions to communicate with our APIs. Existing username and password-based automations will not be immediately disabled. Your automations will continue to work; however, we strongly recommend you adopt new access keys for more secure access. Our intention is to sunset local passwords altogether from Prisma Cloud in a few months. We’ll send reminders to those using username and password-based automation to switch over to access keys before deprecating local passwords to ensure your business remains uninterrupted. For additional information, please watch:  Prisma Cloud: Product Update and Demo
View full article
‎09-01-2020 01:30 PM
1,108 Views
0 Replies
New Features FEATURE DESCRIPTION RedLock Service in New Regions Prisma Cloud is now available in the Australia & New Zealand (ANZ) region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace. In addition, Prisma Cloud is also available on AWS GovCloud. You can request a RedLock tenant on AWS GovCloud, when you sign up for the service from the Palo Alto Networks Marketplace. Operators in Event RQL You can now use the operators  Contains, Does not Contain, Exists, and   Does not exist with Event RQL queries. API Ingestion Update The   API aws-iam-get-policy-version   is now updated to fetch unattached policies. user   Attribute Rename in Event RQL user   attribute in Event RQL is renamed to  subject   to represent both users and instances. event where role = ’oktaDevReadWriteRole’ and subject = ’johnjames@paloaltonetworks.com’ role   Attribute in Event RQL The new   Event RQL attribute role"   allows you to filter the search results by role. Event where role = ’OktaDevReadWriteRole’ Support for Strings with Space Separators You can now use RQL to search for strings that include white space as a separator. This capability helps you find values with space, such as in keys, key value pairs, or security groups. For example, if your key name is   test 4081 and it has the value  tag with space , use this query. config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = "tags[*] size greater than 0 and tags[?(@.key=='test 4081')].value contains \"tag with space\"" Network Alert Workflow Update Prisma Cloud now automatically reopens any alerts for a Network policy violation that you had   manually dismissed, in the event that the same policy is violated again.   Policy Updates POLICY DESCRIPTION GCP Kubernetes cluster size contains less than 3 nodes Checks the size of your cluster pools and alerts if there are fewer than 3 nodes in a pool. GCP Kubernetes cluster Istio Config not enabled Checks your cluster for the Istio add-on feature and alerts if it is not enabled. GCP Kubernetes cluster not in redundant zones Alerts if your cluster is not located in at least 3 zones. GCP Kubernetes cluster Application-layer Secrets not encrypted Checks your cluster for the Application-layer Secrets Encryption security feature and alerts if it is not enabled. GCP Kubernetes cluster intra-node visibility disabled Checks your cluster's intra-node visibility feature and generates an alert if it's disabled. AWS SSM Parameter is not encrypted Identifies the AWS SSM Parameters which are not encrypted. AWS Cloudfront Distribution with S3 have Origin Access set to disabled Identifies the AWS CloudFront distributions which are utilizing S3 bucket and have Origin Access Disabled. AWS CloudFront Distributions with Field-Level Encryption not enabled Identifies CloudFront distributions for which field-level encryption is not enabled.   This information was adapted from TechDocs. For more information about the release notes or to view other release notes, please visit Features Introduced on May 9, 2019 .    
View full article
‎09-01-2020 01:30 PM
830 Views
0 Replies
New Features FEATURE DESCRIPTION CSV Download of Config Data You can now download details in a CSV format to analyze Config events offline. Enter your RQL query on the Investigate page on the Redlock admin console to download the results as a .zip file. Tenable Integration for GCP accounts RedLock service now supports the   Tenable integration on Google Cloud Platform.This integration provides additional context around vulnerabilities identified in your GCP workloads to help you prioritize alerts. For example, you can address high severity vulnerabilities on hosts that are internet facing and are receiving malicious traffic ahead of other types of hosts. CLI Variables for Automated Remediation When you define a   custom policy   with auto-remediation, you can now see the variables that are available for use in the CLI commands. Auto Suggestion for   json.rule   attribute in Event RQL To help you easily build   Event RQL   queries, you can see automatic suggestions for the attribute   json.rule   when used with the   operation attribute. Auto suggest works with the operators   =  and   IN.   API Ingestion Prisma Cloud now ingests the following new   Azure services   to help build Config queries:   azure-app-service azure-kubernetes-cluster   Classification of Microsoft Azure ELBs Microsoft Azure Load Balancers are now classified as   Azure ELB .   Policy Updates POLICY DESCRIPTION AWS Lambda Function is not assigned to access within VPC Identifies the AWS Lambda functions which do not have access within the VPC. GCP Project audit logging is not configured properly across all services and all users in a project Identifies the GCP projects in which cloud audit logging is not configured properly across all services and all users.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on May 23, 2019.
View full article
‎09-01-2020 01:30 PM
863 Views
0 Replies
New Features FEATURE DESCRIPTION Just-In-Time Provisioning for SSO Users To successfully access the   RedLock service using Single Sign-on (SSO), every user (administrator) requires a local account on Prisma Cloud. With Just-In-Time (JIT) Provisioning, you no longer are required to create the user in advance on Prisma Cloud. After successful authentication with your SSO Identity Provider (IdP), users are now automatically provisioned on Prisma Cloud with the specified role. From   Settings  SSO , Enable JIT Provisioning and specify the SAML attributes you configured for your users on your IdP. Coverage for Azure Container Registry Webhooks and Azure App Service Authentication When you   onboard your Azure subscriptions   to Prisma Cloud, you can now ingest additional information from the Azure Container Registry webhooks and the Azure App Service to provide more visibility and context. Create a   custom role   or modify an existing role to include the following permissions:   Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action— To ingest data from Azure Container Registry webhooks that are triggered when a container image or Helm chart is pushed to a registry, or deleted from it. Microsoft.Web/sites/config/list/action— To ingest Authentication/Authorization data from Azure App Service that hosts websites and web applications. This custom role is required in addition to the Reader Role, which is adequate to ingest configuration data from the Azure App Service. Bypass DNS Resolution for SAML If you have deployed your IdP on an internal network, and do not need a DNS look up for the URLs defined on the SSO configuration settings, you can now disable it. To disable DNS look ups, clear the   Enforce DNS resolution for RedLock Access SAML  on  Settings >  SSO . New API Ingestion Prisma Cloud adds coverage for the following new services that you can use in RQL:   GCP—gcloud-compute-target-https-proxies AWS—aws-rds-db-clusters       API Ingestion Updates API DETAILS ON THE UPDATES aws-iam-get-policy-version aws-iam-get-policy-version  API is modified to lists all IAM users, groups, and roles that the specified managed policy is attached to. With this change, this API now retrieves information about managed policies along with all IAM users, groups, and roles attached to the policies. aws-rds-db-cluster-snapshots The   aws-rds-db-cluster-snapshots   API now includes a new JSON field   dbclusterSnapshotAttributes  that provides information the attributes in an RDS database cluster snapshot. aws-kms-get-key-rotation-status The   aws-kms-get-key-rotation-status API now includes a new JSON field   policies. With this change, this API now retrieves KMS key rotation status along with the list of policies associated with the key. aws-ecr-get-repository-policy The aws-ecr-get-repository-policy   is updated to include the IAM policy statement, which provides information on the operations performed on the ECR resource. With this change the JSON structure is fully revised. aws-sqs-get-queue-attributes The   aws-sqs-get-queue-attributes   is updated to include the policy statement, which provides information on the operations performed on the SQS resource. With this change the JSON structure is fully revised.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on June 6, 2019.
View full article
‎09-01-2020 01:29 PM
1,005 Views
0 Replies
New Features FEATURE DESCRIPTION Amazon GuardDuty Findings on IAM Users To help you to find potential security issues —malicious activity and unauthorized behavior— that pertain to IAM Users who are identified in Amazon GuardDuty findings, you can now specify hostfinding.type = 'AWS GuardDuty IAM' in a   Config RQL query. Azure Network Security Group Rule Actions To help you audit Network Security Groups (NSGs) directly from the RedLock console, the resource explorer and the network explorer display how Azure NSGs are configured to enforce traffic in your Azure environment. To display the information on the Azure NSG rule, both the resource explorer and the network explorer, now have a new   Action   column, which indicates whether the NSG rule is set to   Allow   or   Deny  traffic. API Ingestion Update Prisma Cloud has improved coverage for the following API service that you can query using RQL: The API aws-elasticbeanstalk-environment JSON is modified to include the response from the environment resources details in the describeEnvironmentResources field.   Policy Updates The following new policies are available in this release: POLICY NAME DESCRIPTION AWS EKS cluster control plane assigned to multiple security groups Checks the number of security groups assigned to your AWS EKS cluster control plane and alerts if more than one security group is attached to the cluster. AWS EKS cluster using the default VPC Identifies AWS Kubernetes clusters which are configured with the default VPC instead of a custom VPC. AWS EKS control plane logging disabled Checks whether or not Kubernetes control plane logging for audit and diagnostic logs is enabled so that log data on your EKS cluster is directly written to CloudWatch Logs. This policy alerts you if logging is disabled. AWS EKS cluster security group overly permissive to all traffic Identifies security group rules that are attached to the cluster network and allow inbound traffic for all protocols from the public internet. AWS EKS cluster endpoint access publicly enabled Checks whether your Kubernetes cluster endpoint that enables the API server to communicate with all worker nodes within your cluster is publicly accessible. This policy alerts if you have not restricted public access to the Kubernetes cluster endpoint.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on June 22, 2019.
View full article
‎09-01-2020 01:29 PM
1,114 Views
0 Replies
New Features FEATURE DESCRIPTION Support for the AWS Hong Kong region Prisma Cloud can now monitor resources in the AWS Hong Kong region (ap-east-1). IP Address Modeling for Anomaly Alert Generation To reduce false positives when detecting unusual user activity, Prisma Cloud has augmented UEBA modeling to incorporate IP address information. Prisma Cloud relies on a third-party source for IP address to geo-location resolution to detect unusual user activity. Using the IP address to geo-location resolution can sometimes generate false positives in the Unusual User Activity policy when the same IP resolves to different locations at different points in time. With this modeling change, when there is unusual user activity from a previously unseen location for a known IP address, the service no longer generates   anomaly alerts. Microsoft Teams Integration Create an Office 365 webhook integration on a Microsoft Teams channel and configure Prisma Cloud to send notifications to it. Sending   RedLock alerts to a Microsoft Teams channel   enables your DevOps and SecOps teams to investigate and remediate security incidents more promptly. API Ingestion Updates Prisma Cloud has added coverage for the GCP API service gcloud-compute-global-forwarding-rule   Policy Updates POLICY NAME DESCRIPTION GCP storage bucket is encrypted using default KMS key instead of customer-managed key Identifies storage buckets that are encrypted with the default Google-managed keys. As a best practice, use Customer-managed keys to encrypt the data in your storage bucket and ensure full control over your data. GCP load balancer target proxy is configured with default SSL policy instead of custom SSL policy Identifies load balancer target proxies which are configured with default SSL policy instead of a custom SSL policy. As a best practice, using custom SSL policy to access load balancers gives you better control over SSL/TLS versions and ciphers. GCP load balancer HTTPS target proxy is not configured with QUIC protocol Identifies load Balancer HTTPS target proxies which are not configured with QUIC protocol. Enabling the QUIC protocol helps the load balancer target HTTPS proxies to establish connections faster, supports stream-based multiplexing, improved loss recovery, and eliminates head-of-line blocking.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on July 11, 2019.
View full article
‎09-01-2020 01:29 PM
1,019 Views
0 Replies
New Features FEATURE DESCRIPTION Flow Logs Ingestion Update After you enable flow logs, Prisma Cloud will ingest flow log data for the last seven days only. If flow logs become unavailable for any reason such as if you manually disable flow logs, or modify API permissions, or an internal error occurs, when access is restored logs from the preceding seven days only are ingested. Deletion of GCP Organization and Master Service Account If you no longer want Prisma Cloud to   monitor a GCP organization, or you want to delete a GCP project that you onboarded using a master service account, you can now delete the organization or project on   Settings >  Cloud Accounts .     Although the service stops ingesting data from the project or organization as soon as you delete it, all the data on your cloud resources is purged only after 24 hours. Therefore, if the deletion was unintentional you can onboard the account back within 24 hours to resume monitoring and retain the history on your cloud resources. The audit logs retain the activity history of the user who deleted the account, the name of the cloud account and when the action was performed. In addition, when you delete a project on GCP, Prisma Cloud learns about it and automatically deletes the account from the list of monitored accounts on   Settings >  Cloud Accounts . To track the automatic deletion of the project, an audit log is generated. RQL Enhancements for Functions For Config RQL queries, view the results of the _DateTime.function as a column on the Investigate page, instead of locating and verifying the results within the resource JSON. For example, the query config where api.name = 'aws-ec2-describe-instances' addcolumn _DateTime.ageInDays(launchTime) adds a column for   LaunchTime   and displays the results on the page.     Functions   also support auto-suggest when you enter the prefix   _   in a json.rule or addcolumn attribute.     and   Saved Search for Identifying VM-Series Firewalls Use the new saved search to list VM-Series Firewall instances that are deployed on your GCP, AWS, and Azure environments. You can use this saved search to easily create a policy and generate an alert if you want to ensure that your internet-facing workloads are secured with VM-Series firewalls. where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcp-compute-disk-list' as Y; filter '$.X.disks[*].source contains $.Y.name and ($.Y.sourceImage contains vmseries-bundle or $.Y.sourceImage contains vmseries-byol)' ; show X;   Policy Updates POLICY DESCRIPTION Azure AKS cluster pool profile count contains less than 3 nodes Checks if there are fewer than 3 nodes within your AKS cluster pool profile and alerts you to it. Azure AKS cluster Azure CNI networking not enabled Checks your AKS cluster for the Container Networking Interface (CNI) plugin and generates an alert if it is not enabled. Azure AKS cluster monitoring not enabled Checks if monitoring is enabled for AKS clusters and alerts you if no configuration is found, or the monitoring add-on is disabled. Azure AKS enable role-based access control (RBAC) not enforced Checks whether your AKS cluster is RBAC enabled to grant users or groups access to only the resources they need. Azure ACR HTTPS not enabled for webhook Checks your Azure container registry webhooks for the use of the HTTPS protocol and alerts you to if it is not enabled. Azure AKS cluster HTTP application routing enabled Checks if your AKS cluster has the HTTP application routing add-on that creates publicly accessible DNS names for application endpoints and alerts you if it is enabled. Config policy GCP HTTPS Load balancer SSL Policy not using restrictive profile Identifies GCP HTTPS Load balancers that are not using a restrictive profile in SSL Policy to meet stricter compliance requirements. GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower Identifies GCP HTTPS Load balancers that are configured to use SSL policy with TLS version 1.1 or lower.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on July 25, 2019.
View full article
‎09-01-2020 01:29 PM
1,105 Views
0 Replies
New Features FEATURE DESCRIPTION Simplified Cloud Account Onboarding for First-Tme Users The   Cloud Account Onboarding   tours are designed to help you onboard your cloud accounts on AWS, Azure, and GCP and simplify the first step for cloud monitoring and governance. The guided experience helps Prisma Cloud administrators with the System Administrator and Cloud Provisioning Administrator roles automate some of the configuration options for quicker onboarding. HITRUST Compliance Standard for AWS With the support for the Health Information Trust Alliance (HITRUST) security control framework, Prisma Cloud enables you to audit how you are doing on this healthcare regulatory requirement. Use the policy checks included in the HITRUST Version 9.2 compliance standard to ensure that your AWS workloads that store, process, transmit, and analyze protected health information are securely handling sensitive data. Principal ARN Check for Prisma Cloud Monitored AWS Accounts The   _AWSCloudAccount.isRedLockMonitored  function is enhanced to check for the Principal ARN in addition to the Account ID specified in the policy trust document and verify whether the AWS Principal ARN belongs to an account that is monitored by Prisma Cloud. The RQL is   config where api.name = 'aws-iam-list-roles' AND json.rule = ‘_AWSCloudAccount.isRedLockMonitored(role.assumeRolePolicyDocument.Statement[*].Principal.AWS) is true’ With this enhancement, when you use this RQL in a custom policy, an alert is generated when a cross-account role allows access to an AWS account that belongs to an AWS account—third-party or other AWS accounts you own—that is not monitored by Prisma Cloud. API Ingestion Updates Prisma Cloud has added coverage for the API: aws-iam-saml-provider   Policy Updates POLICY DESCRIPTION GCP load balancer sensitive configuration updates Detects sensitive configuration updates such as the deletion or modification of a GCP load balancer and SSL policies.   This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced in August 2019.
View full article
‎09-01-2020 01:29 PM
1,222 Views
0 Replies
New Features FEATURE DESCRIPTION Integration Status Checks Prisma Cloud performs periodic checks and background validation of outbound external integrations to identify exceptions or failures in processing notifications. With the exception of Email, PagerDuty, Qualys, and Tenable.io integrations, the status checks now indicate when a change on the integration vendor impacts outbound alert notifications. The status checks display as red—integration failed validations, yellow—one or more templates associated with the integration are invalid, or green—working and all templates are valid. Any state transitions are automatically reflected on the Prisma Cloud administrator console. Resource Attribution on Azure Updates Prisma Cloud correlates data available in resource configurations and audit events to you identify who (which user) made changes to specific Azure resources. In addition to the services that were supported in the last release, resource attribution is now available for events related to the following Azure resources: Azure Network Watcher Azure Load Balancer Azure SQL Database Azure SQL Server Azure Storage Account Azure VPN Connection Azure Container Registry Azure Application Gateway Azure Disk Azure Vault Azure App Service API Ingestion Updates Prisma Cloud has added coverage for the API: azure-cosmos-db azure-network-route-table Update the JSON for the API   aws-sns-get-subscription-attributes Some fields such as   RawMessageDelivery ,   PendingConfirmation ,   ConfirmationWasAuthenticated   are no longer retrieved for this API.   Policy Updates POLICY DESCRIPTION AWS ECS Task Definition Elevated Privileges Enabled Checks the security configuration of your task definition for ECS Containers and alerts you to it. AWS ECS/ ECS Fargate task definition execution IAM Role not found Generates an alert if a task execution IAM role is not defined in your task definition for pulling container images and publishing container logs to Amazon CloudWatch. AWS ECS Task Definition Root User Found Checks if your container definition uses a root user and alerts you to it. GCP GKE Unsupported Node Version Checks your GKE master node version and generates an alert if the version running is unsupported. Non-Corporate Accounts Have Access to Google Cloud Platform (GCP) Resources The RQL in this customizable policy is updated to match on more than one domain, and the match criteria checks for whether the email address contains or ends in the specified domain(s).
View full article
‎09-01-2020 01:28 PM
1,271 Views
0 Replies
1 Like
We are excited to announce a web interface change that will present a navigation panel on the left side of the Prisma Cloud console.   Best Regards, The Prisma Cloud Team
View full article
‎09-01-2020 01:28 PM
1,153 Views
0 Replies
Review the most recent release notes for Prisma Cloud.
View full article
‎09-01-2020 01:16 PM
500 Views
0 Replies
In December 2019, we introduced host, container, and serverless security capabilities via the new Compute tab in Prisma Cloud. Today, we have two important updates to share with you.
View full article
‎09-01-2020 01:15 PM
548 Views
0 Replies
Review the release notes from October 2, 2019. See the new features released and discover how they will help your network.
View full article
‎09-01-2020 01:15 PM
470 Views
0 Replies
These guides provide customized direction, advice, and recommendations by job function for implementing Prisma Cloud into operation in your organization.
View full article
‎09-01-2020 01:12 PM
1,104 Views
0 Replies
1 Like
Read the release notes for Prisma Cloud from October 16, 2019. Features include Alert Dismissal Restrictions and several Policy Updates to help you stay secure.
View full article
‎09-01-2020 01:11 PM
457 Views
0 Replies
Read about the new features in the November 6, 2019 release notes for Prisma Cloud. New features include Prisma Cloud on the GCP Marketplace, an  API Ingestion, and so much more. 
View full article
‎09-01-2020 01:11 PM
491 Views
0 Replies
Read about the new features in the November 20, 2019 release notes for Prisma Cloud Compute Edition.
View full article
‎09-01-2020 01:11 PM
530 Views
0 Replies
Read the new features in the December 4, 2019 release notes for Prisma Cloud. See more about Automated Remediation CLI, Event RQL Attribute, and more.
View full article
‎09-01-2020 01:11 PM
489 Views
0 Replies
Review the new features in the Prisma Cloud Release Notes from December 19, 2019. 
View full article
‎09-01-2020 01:11 PM
586 Views
0 Replies
Review the newest features and policies for Prisma Cloud in the release notes for January 16, 2020. See what's new and how it can help keep your network secure.
View full article
‎09-01-2020 01:10 PM
566 Views
0 Replies
Review the new features and policies in the January 31, 2020 Prisma Cloud release notes. 
View full article
‎09-01-2020 01:10 PM
560 Views
0 Replies
Read about the new policies and features in the Prisma Cloud release notes from February 12, 2020. See what's new and how it will help you.
View full article
‎09-01-2020 01:10 PM
642 Views
0 Replies
Read the Prisma Cloud release notes for Feb 26, 2020. Learn more about Alibaba Cloud, Asset Inventory and Compliance, new API ingestion, some helpful RQL queries, and even some new policies for AWS, GCP, and Azure.
View full article
‎09-01-2020 01:07 PM
671 Views
0 Replies
Read about the Prisma Cloud release notes that details new features, including Multi-Tenant Demisto Deployments and API ingestion updates. You can also find some new and updated policies AWS and Azure. 
View full article
‎09-01-2020 01:04 PM
708 Views
0 Replies
CSP maintenance
Labels