Prisma Cloud Articles

Featured Article
Prisma Cloud Release Notes For April 7, 2020
View full article
‎09-01-2020 01:03 PM
559 Views
0 Replies
Features Introduced on April 21, 2020
View full article
‎09-01-2020 01:03 PM
722 Views
0 Replies
Prisma Cloud Release Notes For May 5, 2020
View full article
‎09-01-2020 01:02 PM
833 Views
0 Replies
Features Introduced on May 19, 2020 New Features New Policies and Policy Updates New Features                   FEATURE DESCRIPTION resource.status Attribute in Config RQL RQL Config query adds a new attribute   resource.status   that enables you to identify cloud resources that are in an   active   or   deleted   state within a specified time-range. For example:   config where resource.status = Deleted AND cloud.account = 'account_name' AND api.name = 'aws-ec2-describe-route-tables'   and specify the time range.     The   resource.status   attribute is supported on the   Investigate   page only. You can also view the current status of the cloud resource on the   Resource Explorer . The status shows whether the resource is deleted (Deleted—True) or active (Deleted—False).     API Ingestion APIs to ingest the following services:   AWS   aws-iam-service-last-accessed-details The API enables you to view details about when an IAM resource (user, role, or policy) was last used to access an AWS service. To ingest the resources associated with this API, you must   update the CFT   and enable additional permissions: generateServiceLastAccessedDetails, getServiceLastAccessedDetails When enabled, the details on all roles and all users created in the AWS account, and all policies which are attached to the users/roles are ingested every 24 hours on Prisma Cloud.     For example:   To query users, roles, policies with unused permissions   config where api.name = 'aws-iam-service-last-accessed-details' AND json.rule = serviceLastAccesses[*].totalAuthenticatedEntities any equal "0" AND arn contains ":user"   To list users (or roles) who can access a specific service   config where api.name = 'aws-iam-service-last-accessed-details' AND json.rule = arn contains ":user" AND serviceLastAccesses[*].serviceNamespace contains "s3"     Ingesting Tags for AWS Resources To enable filtering using tags in RQL, the following AWS APIs ingest tag information on your cloud resources:   aws-describe-vpc-endpoints   aws-ec2-describe-flow-logs   aws-organization   aws-apigateway-get-rest-apis   aws-apigateway-get-stages   aws-elasticache-snapshots   aws-eks-describe-cluster The   eks:ListTagsForResource   permission is required to ingest tags for the EKS service. SeeUpdate the CFT   to enable the additional permissions.   Additional Context for Network Anomaly Alerts Network   anomaly alerts   generated against the   Port scan activity   and   Port sweep activity   policies now include additional context based on threat feed information from sources such as Autofocus and Facebook Threat Exchange. In addition, all anomaly alerts include a tooltip that describes the threat details.     New Policies and Policy Updates                 POLICY DESCRIPTION GCP VM Instance Using a Default Service Account with Full Access to all Cloud APIs Identifies VM instances on GCP that are using a default service account with full access to all Cloud APIs. This policy enables you to prevent potential privilege escalation, and enforce the principle of least privilege when granting permissions to service accounts. Policy Updates The GCP CIS v1.0.0 Compliance standard, section 4.1 is updated to match on the policy   GCP VM instance using a default service account with full access to all Cloud APIs   instead of   GCP VM instances with excessive service account permissions . Updated the   AWS RDS DB cluster encryption is disabled policy   to include the instructions for remediation.
View full article
‎09-01-2020 12:58 PM
541 Views
0 Replies
Features Introduced on June 2, 2020 New Features New Policies and Policy Updates New Features                       FEATURE DESCRIPTION Custom Header Support for Webhook Integration To enable support for additional data such as the API key or access token of your application in a   Webhook   integration, Prisma Cloud supports key-value pairs in a custom header.     If you had previously set up a Webhook integration, the Auth Token you had configured is now sent as a custom header in the payload. Business Unit Report on Open Alerts To share a report on the status of your cloud assets and how they are doing against Prisma Cloud security and compliance policy checks, you can generate an on-demand or schedule a   Business Unit Report .     The report enables your business stakeholders to keep track of the total number of assets and how many of them have passed or failed against the enabled policies, and monitor how they’re doing on a regular basis. You can opt to create a summary report which shows you how you’re doing across all your business units. The detailed report allows you to get more granular on each of the cloud account in the report. GCP Seoul Region Support Prisma Cloud can now monitor resources deployed in the Seoul region. To review the list of supported regions, use the   Cloud Region   filter on the   Asset Inventory .     API Ingestion APIs to ingest the following services:   aws-organization-ou Additional permissions required are `organizations:ListChildren, organizations:listPoliciesForTarget, organizations:DescribeOrganizationalUnit`   aws-organization-account Additional permissions required are ‘organizations:listPoliciesForTarget, organizations:DescribeAccount, organizations:ListTagsForResource`   `aws-organization-root` Additional permissions required are `organizations:ListChildren, organizations:listPoliciesForTarget, organizations:listRoots`   aws-organizations-scp Additional permissions required are `organizations:ListChildren, organizations:ListPolicies, organizations:DescribePolicy,organizations:listPoliciesForTarget`   aws-organizations-tag-policy Additional permissions required are `organizations:ListChildren, organizations:ListPolicies, organizations:DescribePolicy,organizations:listPoliciesForTarget`   Ingesting Tags for AWS Resources To enable filtering using tags in RQL, the following AWS APIs ingest tag information on your cloud resources:   aws-cloudtrail-describe-trails   aws-cloudwatch-describe-alarms   aws-describe-workspace-directories   aws-dynamodb-describe-table   The   cloudwatch:ListTagsForResource   and   dynamodb:ListTagsOfResource   permission is required to ingest tags for these services. See   Update the CFT   to enable the additional permissions. If you want to grant granular permissions manually:   Cloudtrail service requires ListTags   Dynamodb service requires ListTagsOfResource   Cloudwatch service requires ListTagsForResource     Saved Search Additions Use the following   Saved Searches   to easily create a policy and generate an alert if you want to check for:   AWS IAM role with unused S3 buckets permissions_RL   AWS IAM user with unused S3 buckets permissions_RL   AWS IAM role with unused permissions_RL   AWS IAM user with unused permissions_RL   AWS EC2 instances with Marketplace AMI_RL   New Policies and Policy Updates                 POLICY DESCRIPTION Anomaly Policies to Detect Network Evasion or Resource Misuse Five new Anomaly policies are available to help you detect:   Ports or protocols that are not typically used on your network to provide or consume services. Unusual server port activity (Internal) —Identifies network activity from one (external or internal) client host to a server host inside your cloud environment, using a server port not previously seen in the VPC. Unusual server port activity (External) —Identifies network activity from a client host inside your cloud environment to an external server host, using a server port not previously seen in the VPC. Unusual protocol activity (Internal) —Identifies network activity from one (external or internal) client host to a server host inside your cloud environment, using an IP protocol not previously seen in the VPC. Unusual protocol activity (External) —Identifies network activity from a client host inside your cloud environment to an external server host, using an IP protocol not previously seen in the VPC.   Resource misuse by potential spam. Spambot activity —Identifies a host inside your cloud environment that is generating outbound SMTP traffic and for which no previous mail-related network activity has been observed. This instance may be compromised and sending out spam.       AWS MQ is publicly accessible Identifies AWS MQ brokers that are publicly accessible from the internet. As a best practice, ensure that AWS MQ brokers are not accessible from the Internet to minimize security risks and exposure of sensitive data. AWS MFA is not enabled on Root account Identifies root accounts that do not enforce Multi Factor Authentication (MFA) on the AWS public cloud. Because root accounts have privileged access to all AWS services, enabling MFA reduces the risk of root accounts credentials being compromised.This policy does not apply to AWS GovCloud accounts because you cannot enable MFA on AWS GovCloud (US) root accounts.
View full article
‎09-01-2020 12:57 PM
541 Views
0 Replies
  Features Introduced on June 16, 2020       New Features New Policy and Policy Updates New Features                     FEATURE DESCRIPTION Threat Source and Unit 42 tags in Network RQL In   Network RQL, you can now filter for search results based on threat source, such as AutoFocus or Facebook ThreatExchange.     And for AutoFocus, you can further query for specific   tag groups   using   threat.tag.group   that reference genre for malware families as categorized by the Unit 42 threat research team.     For example:   network where dest.publicnetwork IN ('Suspicious IPs') and threat.source IN ( 'AF' ) AND threat.tag.group = 'Cryptominer' Prisma Cloud Business Edition on Azure China Start using the Prisma Cloud tenant in China to   connect   to your Azure China subscriptions and monitor the resources deployed in China. Plugin Updates for scanning IaC templates The   GitHub plugin   adds support for Terraform version 0.12 and enables you to include your Prisma Cloud credentials as part of the installation process. The   Visual Studio Code plugin   adds support for Terraform version 0.12 and enables you to scan multiple files within a directory. API Ingestion   GCP IAM Recommender, which is a part of the Google Recommendations service—   gcloud-iam-policy-recommendation-list Additional permissions required are   recommender.iamPolicyRecommendations.list . For details see   permissions and roles for GCP.   Google API Key— gcloud-api-key Additional permissions required are   serviceusage.apiKeys.list . GCP has released this API as an alpha release. To use this API, you must be explicitly allowed access to the API from Google Cloud. Because Google Cloud does not provide an SLA for this alpha version, this API is also not bound by the terms of the Prisma Cloud SLA.   Saved Search Additions Use the following Saved Search to easily create a policy and generate an alert if you want to check for:   AWS IAM user with unused Key management or System manager permissions   AWS IAM role which is not set with any permission boundaries or set with excessive permission boundary permissions   New Policy and Policy Updates                     POLICY NAME DESCRIPTION AWS IAM roles with administrator access permissions Identifies AWS IAM roles with administrator access privileges. Granting least privilege access is recommended as a security best practice. AWS IAM groups with administrator access permissions Identifies AWS IAM groups with administrator access privileges. GCP SQL Server instance database flag 'cross db ownership chaining' is enabled Identifies GCP SQL Server instances that are enabled for cross database ownership, so that you can assess the security implications of this setting. GCP SQL Server instance database flag ‘contained database authentication’ is enabled Identifies SQL Server instances that are enabled for contained database authentication, as this poses a security risk because control over access to the server is no longer limited to members of the system or security administrators. Prisma Cloud Default Policies—No longer available Due to the delay in generating the associated alerts, the following Prisma Cloud default policies are no longer available:   AWS Multiple Lambda Functions using same IAM role.   AWS Log metric filter and alarm does not exist for Security group changes.   These policies are being removed to optimize performance and to address the time to alert delays due to the large volume of data that these policies parse.
View full article
‎09-01-2020 12:56 PM
547 Views
0 Replies
Features Introduced on July 14, 2020 New Features New Policy and Policy Updates Public REST API Updates New Features                                           FEATURE DESCRIPTION Support for GCP Folders When you add your GCP Organization to Prisma Cloud, you can now view all the projects or folders that are contained in the organization hierarchy and choose to add all the projects, or selectively include or exclude the projects and folders you want to monitor, or monitor and protect using Prisma Cloud.     Prisma Cloud as a PAYG Subscription on the AWS Marketplace Prisma Cloud is available as an hourly PAYG subscription on the AWS Marketplace. With this new listing, you can use the Prisma Cloud Enterprise Edition license for the first 15 days as a free trial, and then you are billed based on hourly usage; there is no long-term contract required. ( Coming Soon ) Support Domain-based Message Authentication, Reporting & Conformance (DMARC) Email notifications from Prisma Cloud will include the domain name to support Domain-based Message Authentication, Reporting & Conformance (DMARC), and the email address noreply@paloaltonetworks.com is being replaced with noreply@prismacloud.paloaltonetworks.com. To ensure that you continue to receive emails, please replace  noreply@paloaltonetworks.com  with  noreply@prismacloud.paloaltonetworks.com  in your approved sender list. New Filters for Policies The  Policies  page has three new filters for  Category ,  Class , and  Subtype . And the table view includes these filters as new columns.  The Category filter enables you to separate incidents from risks and prioritize what you want to focus on based on your role. You can for example, use this filter to identify policies that identify incidents before policies that identify risky configurations. The Class filter logically groups policies. Use it to separate policies that affect your area of focus, and delegate as appropriate. The Subtype filter separates the various types of policies that pertain to each policy Type. For example, Anomaly policies are split into two subtypes—Network and UEBA.     Updates for Inclusive Language on Prisma Cloud Prisma Cloud has updated all references to whitelist on the API and management console.  Settings IP Whitelisting  is renamed as  Settings Trusted IP Addresses , where you can specify  Trusted Alert IP Addresses  (previously Login IP Whitelisting ) and  Trusted Login IP Addresses  (previously called Trusted IP Whitelisting)     See Public REST API Updates also. Exclusion of Trusted Sources in Anomaly Policies  To exclude trusted IP addresses that are internal or known, such as those you may use to conduct tests for PCI compliance or penetration testing on your network, you can now add these IP addresses in a CIDR format on the Trusted IP Address List on  Settings Anomaly Settings . Any addresses included in this list do not generate alerts against the Prisma Cloud Anomaly policies that detect unusual network activity such as the policies that detect port scan and port sweep activity, unusual server and port activity and Spambot.     GCP Flow Logs Update GCP flow logs are now be available for Prisma Cloud tenants deployed on https://app.prismacloud.io. You do not need to submit a special request to enable flow logs on your tenant. Amazon SQS Integration Supports a Separate IAM Role When integrating Prisma Cloud with Amazon SQS, you now have the flexibility to use a separate IAM role to enable alert notifications to SQS. If you use the CFT to onboard your AWS account and the SQS queue belongs to the same cloud account, the Prisma Cloud IAM Role policy has the permissions required for Amazon SQS. And, by default, Prisma Cloud accesses the SQS queue with these credentials.  If this is not applicable for the SQS queue you are trying to integrate, when you add a new SQS integration, you can provide the IAM credentials (Access Key and Secret Key) associated with that role ( Settings Integrations ).     The IAM user, whose security credentials (Access and Secret Keys) you provide must have  sqs:SendMessage  and  sqs:SendMessageBatch  permissions.  API Ingestion AWS   noCloudTrailFound  attribute no longer ingested for aws-cloudtrail-describe-trails API. With this change, Prisma Cloud will no longer ingest the  noCloudTrailFound  attribute, for an AWS account that does not have CloudTrail enabled in a given region. If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved.   GCP   Google Compute Engine—gcloud-compute-project-info   Google Dataproc Clusters —gcloud-dataproc-clusters-list    For the  gcloud-compute-api  Prisma Cloud now includes labels assigned to your GCP project. You can use the tag attribute to find resources tagged with labels in  config where  RQL queries.   Saved Search Additions Use the following Saved Search to easily create a policy and generate an alert if you want to check for:   AWS IAM policy with unused permissions   AutoFocus saved searches are consolidated by tag groups to detect malicious activities that are initiated from a internal source on your network or from an external source.       AutoFocus Updates —Change in threat source name in RQL and access the AutoFocus from the Prisma Cloud Console. The AutoFocus threat intelligence feed was referred to as  threat.source in ( AF)  and that is now updated to be  threat.source in ( AutoFocus)  For example, the RQL should now be:  network where dest.publicnetwork IN ('Suspicious IPs') AND threat.source IN ( 'AutoFocus' ) AND threat.tag.group = 'Cryptominer' Additionally, if you have an AutoFocus license, you can now click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the  Investigate  page.     Compliance Standards in Business Unit Reports When generating the Business Unit report, you can now filter on one or more compliance standards to ensure that the report data is only for the alerts that are associated with policies which are tied to the selected compliance standards. API Ingestion APIs to ingest:   Azure custom policy definitions at the subscription level. Azure Policy —  azure-policy-definition   Updated the JSON structure for the  azure-storage-account-list  API to display the total count of containers that are accessible publicly. In addition, the data ingested displays the name of the first 1000 containers in this list.   noCloudTrailFound  attribute no longer ingested for aws-cloudtrail-describe-trails API. If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved.   GCP Las Vegas Region Support Prisma Cloud can now monitor resources deployed in the Las Vegas region. To review the list of supported regions, use the Cloud Region filter on the Asset  Inventory . Prisma Cloud Service for AWS China Start using the Prisma Cloud tenant in China (https://app.prismacloud.cn) to connect to your AWS China accounts deployed in the Ningxia and Beijing regions. Prisma Cloud Service in Singapore Prisma Cloud is now available in the Singapore region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace.  New Policy and Policy Updates                 POLICY NAME DESCRIPTION Alibaba Cloud RAM user with both console access and access keys Identifies Resource Access Management (RAM) users who can access both the Alibaba Cloud management console and the API. As a best practice, limit access to what the user can do to and give permissions for console access or the API. AWS policies that enable auto-remediation The following policies are updated:   AWS Customer Master Key (CMK) rotation is not enabled   AWS EKS cluster endpoint access publicly enabled   AWS RDS event subscription disabled for DB instance   AWS EKS control plane logging disabled   AWS Redshift clusters should not be publicly accessible   AWS RDS database instance is publicly accessible   AWS RDS minor upgrades not enabled   AWS RDS instance without Automatic Backup setting   The additional permissions required to enable auto-remediation for these policies are:  "kms:EnableKeyRotation", "rds:ModifyEventSubscription", "eks:UpdateClusterConfig", "rds:ModifyDBInstance", "redshift:ModifyCluster" Internet exposed instances Updated the  Internet exposed instances  policy to identify AWS Cloud workloads that are exposed to the Internet.  With this change, this policy now applies to AWS only. Public REST API Updates                       CHANGE DESCRIPTION Deprecated and replacement REST API endpoint paths The REST endpoint paths in the following list are deprecated. A new endpoint replaces each deprecated endpoint. The deprecated endpoints will be removed in the near future:   Deprecated: /ip_whitelist_login New: /ip_allow_list_login   Deprecated: /ip_whitelist_login/{id} New: /ip_allow_list_login/{id}   Deprecated: /ip_whitelist_login/status New: /ip_allow_list_login/status   Deprecated: /ip_whitelist_login/tab New: /ip_allow_list_login/tab   Deprecated: /whitelist/network New: /allow_list/network   Deprecated: /whitelist/network/{networkUuid} New: /allow_list/network/{networkUuid}   Deprecated: /whitelist/network/{networkUuid}/cidr New: /allow_list/network/{networkUuid}/cidr   Deprecated: /whitelist/network/{networkUuid}/cidr/{cirdUuid} New: /allow_list/network/{networkUuid}/cidr/{cirdUuid}   The x-redlock-status header values have been updated in a similar manner (e.g.  login_ip_whitelist_missing_field  is now  login_ip_allow_list_missing_field ). Cloud accounts and GCP Folders There are additions to the cloud account REST APIs, including additions to the request parameters to on-board cloud accounts, to support the new feature Support for GCP Folders. Anomalies Trusted List There are new REST API endpoints to support the anomalies trusted list. Amazon SQS integration The REST API for Amazon SQS integration has some new but optional request parameters. Policies There are three new read-only attributes in the Policy and Policy View models (the latter is in the response to a List Policies request) to describe the hierarchy of a policy. New policy filters exist for these attributes. Alerts Requests to list alerts by policy (GET or POST /alert/policy) no longer include alert rules in the response object. Alert rules are available through requests for individual alert information.
View full article
‎09-01-2020 12:56 PM
607 Views
0 Replies
COVID-19 Response Center