Introduces a new dashboard for the MITRE ATT&CK framework, which helps better contextualize runtime audits.

Improves Compliance Explorer to align with industry-accepted reporting standards.

Introduces new granular access permissions to supplement the current prebuilt, statically-defined roles. You can use access permissions to create fine-tuned custom roles.

Introduces the ability to run Prisma Cloud Compute Console in AWS Fargate.

Enhances Prisma Cloud’s capabilities for detecting and blocking malware with Palo Alto Networks WildFire malware analysis engine. Wildfire malware analysis can now be integrated into:

Adds support for detecting vulnerabilities in Go packages in Go binaries in container images and hosts.

Delivers the API reference as an OpenAPI 3.0 spec file. Spec files can now be downloaded from the Console UI.

Adds support for deploying single stand-alone Defenders with twistcli.

Updates support for CIS benchmarks to the latest available versions, specifically:

Improves how the scanner assesses data in the Intelligence Stream against the resources in your environment.

Implements standard Palo Alto Networks colors and typography across the product.

Enables advanced telemetry collection by default. This setting can be disabled.

Introduces the ability to better control which Defenders perform registry scans. You can now utilize collections to select Defenders for registry scanning, setting scope by hostname and AWS tags.

Implements a more robust runtime protection mechanism for App-Embedded Defenders based on ptrace. App-Embedded Defender protects AWS Fargate tasks, and containers in other Container-as-a-Service offerings, including Azure Container Instance and Google Cloud Run. As part of this change, Prisma Cloud now ships with a default runtime rule for App-Embedded Defenders.

Adds the ability for App-Embedded Defenders to assess containers in Fargate tasks for vulnerability and compliance issues.

Enhances the output from twistcli for image scans. When specifying --output-file, twistcli exports scan data to a local JSON file. The schema is now considered stable, and the structure will be maintained in future releases. In order to stabilize for the future, there are some breaking changes in the schema between 21.04 (this release) and 20.12 (the previous release). See the section on breaking changes for full details.

Introduces a new compliance template for the Docker Enterprise DISA STIG.

Adds a new control to container runtime rules that detects suspicious privilege escalation by watching for binaries with the setuid bit that are executed in your containers.

Adds the ability to discover VMs in your AWS, Azure, and GCP cloud accounts, and auto-deploy Host Defender to unprotected EC2 instances in your AWS accounts.

Adds support for host OS-specific compliance benchmarks, specifically:

Improved host runtime capabilities:

Improves how you scope the serverless functions to scan. Scan scopes now include all regions in a cloud account, and collections now let you target specific resources by region and tag.

Enhances handling for AWS Lambda layers. Lambda layers are now also scanned for vulnerability and compliance issues. Scan reports show where issues are found (in the Lambda function itself, or a dependent layer).

Introduces the ability to set and enforce a license policy for package dependencies in code repository scans.

Adds support for scanning code repositories with twistcli and the Jenkins plugin.

Adds support for the Go language for code repository scanning.

Improves WAAS’s API protection capabilities. WAAS can now produce a report of discovered API endpoints and usage statistics. The report can be exported as an OpenAPI file, and imported back into WAAS for enforcement.

Adds support to WAAS API protection for validating body, header, and formData parameters.

Adds custom rules for WAAS, which let you describe and detect discrete conditions in requests and responses.

Enhances WAAS policy rules:

Introduces reCAPTCHA integration for advanced bot detection.

Adds the ability to customize the page WAAS displays in response to a block action. You can customize the page template (HTTP) and response code.

Improves the usability of the WAAS audit timeline graph. You can now dynamically adjust the date filter by clicking and selecting the area of interest.

For Fargate and App-Embedded Defenders: Until this release, Prisma Cloud kept the task running if the connectivity to Console failed because of corrupt installation bundles (we just log and run the task anyway). Now, if a task is failing or is in an error state, Prisma Cloud doesn’t allow connections back to Console.

Compliance Explorer has been refactored to make it easier to understand how your environments, and segments of your environment, comply to policy. Because the structure of the data has changed, existing compliance statistics will be deleted on upgrade. Also:

Prometheus compliance fields have changed. Up until this release, Prisma Cloud had metrics by impacted resources (e.g. images_critical_compliance). Now we provide the total number of failed checks by severity. The new metrics are:

The JSON file output from twistcli image scans has the following schema changes:

The twistcli flag --include-package-files has been deprecated and removed.

If you’re using Kubernetes auditing, you must redeploy the AuditSink after upgrading. Console’s certificate might be renewed during upgrade, so your cluster won’t be able to send audits to Prisma Cloud Console.

Starting with this release, only users with the administrator role can download debug logs and create backups. The operator and auditor roles can no longer perform these actions. The artifacts from these actions contain sensitive information that could be used to escalate privileges in Prisma Cloud. Only admins can:

The Access User role lost all of its permissions, except access to some generally available API endpoints that are open to all authenticated users. Access Users will no longer be able to login to the Console UI. This role will be removed in the next release. As a reminder, the Access User role was originally designed for users to install certificates as part of a mechanism to control access to Docker commands.

As part of the work to introduce the new ATT&CK dashboard, all audits will be discarded on upgrade.

Installations using legacy host based licensing will not have the WAAS feature available

Due to reuse of network ranges in customer VPCs defenders on different clusters have the same name therefore host names were renamed. Therefore, upon defender upgrade the old defender will appear at console as disconnected until automatically removed by the console. The upgraded defender will appear under it’s new format name. Note: if the old defender(s) was specifically selected for registry scan, it will be needed to be reselected with their updated name New format names listed below:

Customers using automatic upgrade of defender may see vulnerabiliteis reported on their defenders. This is due to the fact that the automatic upgrade replaces the binary during while the vulenabilit(ies) exist on the base layer. In order to fix this, manual upgrade of the defenders will need to be performed

The Registry scanner role for Defenders has been deprecated and removed. Starting this release, Defenders are selected to perform registry scanning based on collections. To determine which Defenders are part of the scanner pool, filter the table in Manage > Defenders > Manage > Defenders by collection.

The Roles column in the table in Manage > Defenders > Manage > Defenders has been deprecated and removed. Defenders can no longer have the Registry scanner role (see above). Also, the table already contains data to show if a Defender has the Docker proxy role. See the Listerner type column in the table in Manage > Defenders > Manage > Defenders. If listener type is set to TCP Socket, Defender acts as a Docker proxy.

Compliance check 420, Image is not updated to latest, has been deprecated and removed from the product.

The Access User role will be deprecated in the next release (code-named Iverson).