June 2023

IMPROVEMENT Compliance Rulesets Update - 12:10 UTC

Description: The first Release of the AWS CSA CCM v4 Ruleset; The first release of the Alibaba CIS v1.0 Ruleset; The first release of the K8S GKE CIS v1.4 ruleset; French support for GCP best practices; New AWS and Azure rules. A complete list can be found here.

Case ID: IN-7955, DFT-2595, DFT-2585, DFT-2367, DFT-2404, DFR-2316
Known limitations: N/A 
Affected Components: COMPLIANCE RULESETS

fEATURE Update Notifications Integration on Alert deletion/closure - 13:00 UTC

Description: Policy unassociation will publish a closing alert with a status pass
Case ID: PLAT-8366
Known limitations: N/A 
Affected Components: COMPLIANCE eNGINE

fixED Support Aws WorkSpace services in Mumbai - 13:00 UTC

Description: Add support for Aws WorkSpace services for Mumbai region in AWS
Case ID: DFT-2641
Known limitations: N/A 
Affected Components: PROTECTED ASSETS FETCHERS

IMPROVEMENT Compliance Rulesets Update - 12:10 UTC

Description: The first Release of the AWS CSA CCM v4 Ruleset; The first release of the Alibaba CIS v1.0 Ruleset; The first release of the K8S GKE CIS v1.4 ruleset; French support for GCP best practices; New AWS and Azure rules. A complete list can be found here.

Case ID: IN-7955, DFT-2595, DFT-2585, DFT-2367, DFT-2404, DFR-2316
Known limitations: N/A 
Affected Components: COMPLIANCE RULESETS

feature OCI Compartment API 11:30 UTC

Description: A new endpoint was added to fetch data about Oracle compartments:
Get all compartments under an account: https://api.dome9.com/v2/OciCompartment
Get all compartments of a specific cloud account: https://api.dome9.com/v2/OciCompartment/{id}
Case ID: DFR-2733
Known limitations: N/A 
Affected Components: API

fixED Azure Storage Account - 07:30 UTC

Description: Azure Storage Account ‘table’ and ‘queue’ Encryption flags show the correct value. Previously, encryption on 'table' and 'queue' was enabled by default when creating a storage account in Azure. However, now we have the option to choose not to enable encryption for these components.
Case ID: IN-1554
Known limitations: N/A 
Affected Components: PROTECTED ASSETS FETCHERS

fixED AWS KMS aliases in China region - 07:00 UTC

Description: KMS aliases in China region were not updated.
Case ID: DFT-2547
Known limitations: N/A 
Affected Components: FETCHERS

fixED AWS Region - 12:00 UTC

Description: Fixed an issue where disabled AWS regions showed up in protected assets table, and caused an error when trying to access them. From now on disabled region will not be available in the protected asset.
Case ID: DFT-2554
Known limitations: N/A 
Affected Components:

feature GKE Autopilot - 12:00 UTC

Description: Support for GKE Autopilot (except for Runtime Protection)
Case ID: CON-5273
Known limitations: N/A 
Affected Components: containers

feature Configure agents - 12:00 UTC

Description: Configure agents with node-critical and cluster-critical priority classes by default (improved support for clusters with small nodes)
Case ID: CON-5273
Known limitations: N/A 
Affected Components: containers

feature DaemonSet configuration - 12:00 UTC

Description: Support multiple DaemonSet configurations per node pool
Case ID: CON-5273
Known limitations: N/A 
Affected Components: containers

improvment Runtime Protection: keep running if EBPF probe can't be built/loaded - 12:00 UTC

Description: Runtime Protection: keep running if EBPF probe can't be built/loaded; multiple optimizations
Case ID: CON-5273
Known limitations: N/A 
Affected Components: containers

improvment Inventory: Improved support for large inventory of Kubernetes resources- 12:00 UTC

Description: Inventory: Improved support for large inventory of Kubernetes resources
Case ID: CON-5273
Known limitations: N/A 
Affected Components: containers

improvment dependencies on node configuration- 12:00 UTC

Description: Change imageScan.mountPodman default to false (reduce dependencies on node configuration)
Case ID: CON-5273
Known limitations: N/A 
Affected Components: containers

fixED OCI Network Load Balancer - 13:30 UTC

Description: OCI Network Load Balancer now correctly shows connected network security group ids
Case ID: DFT-2568
Known limitations: N/A 
Affected Components:

IMPROVEMENT Network Exposure support for Azure Storage Account - 15:00 UTC

Description: Support the Network Exposure risk modifier for Azure Storage Account.
Case ID: SEC-801
Known limitations: N/A 
Affected Components: Risk Management

fixED GCP IAM Group - 14:00 UTC

Description: Fixed an issue where the “GcpIamGroup” entity was causing assessment failures.
Case ID: DFT-2578
Known limitations: N/A 
Affected Components: compliance engine

fixED Azure Application Gateway - 14:00 UTC

Description: A connector was added to the Azure “ApplicationGateway” entity, allowing to query its relation to “RegionalWAF” entity directly.
Case ID: DFT-2591
Known limitations: N/A 
Affected Components: compliance engine

IMPROVEMENT GSL Builder UI - 17:30 UTC

Description: “New” labels were removed from the GSL builder UI, for 30 days old entities.
Case ID: IN-7609
Known limitations: N/A 
Affected Components: UI

IMPROVEMENT Compliance Rulesets Update - 10:00 UTC

Description: The first Release of the AWS CIS Controls v8 Ruleset; New AWS rules. A complete list can be found here.

Case ID: IN-7818
Known limitations: N/A 
Affected Components: COMPLIANCE RULESETS

IMPROVEMENT AWS Instance API - 7:00 UTC

Description: Added “imageDetails” property for the CloudInstance API.
Case ID: DFT-2509
Known limitations: N/A 
Affected Components: API

fixED Alibaba ECS Instance - 12:00 UTC

Description: Fixed a bug in Alibaba ECS Instance, where Is Running column in the protected assets did not show the status.
Case ID: DFT-2540
Known limitations: N/A 
Affected Components: PROTECTED ASSETS

IMPROVEMENT AWS EKS Cluster - 9:30 UTC

Description: Added support for ‘encryptionConfig’ property in AWS EksCluster in Compliance Engine & Protected Assets.
Case ID: IN-6979
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE FETCHERS

feature AWS X-Ray 9:30 UTC

Description: Added support for "AWS X-Ray" in compliance engine and protected assets. A total of 3 new entities were added: XRayGroup, XRaySamplingRule, XRayEncryptionConfig.
Case ID: IN-7734
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

feature AWS MemoryDB for Redis 9:30 UTC

Description: Added support for "AWS MemoryDB for Redis" in compliance engine and protected assets. A total of 4 new entities were added: MemoryDbCluster, MemoryDbSnapshot, MemoryDbUser, MemoryDbAcl.
Case ID: IN-7644
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

feature AWS Neptune 9:30 UTC

Description: Added support for "AWS Neptune" in compliance engine and protected assets. A total of 4 new entities were added: NeptuneGlobalCluster, NeptuneCluster, NeptuneClusterSnapshot, NeptuneInstance.
Case ID: IN-7655
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

feature AWS CodeArtifact 9:30 UTC

Description: Added support for "AWS CodeArtifact" in compliance engine and protected assets. Two new entities were added: CodeArtifactDomain, CodeArtifactRepository.
Case ID: IN-7705
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

fixED Protected Assets - Grouping API - 09:00 UTC

Description: Fixed an issue with nested aggregations counters in protected-assets group-by-properties API.
Case ID: SEC-1085
Known limitations: N/A 
Affected Components: PROTECTED ASSETS

Feature Risk Management AWS S3 Bucket - IAM Exposure - 09:00 UTC

Description: Added validation of S3 Access Points when measuring the IAM exposure of S3 Buckets.
Case ID: SEC-960
Known limitations: N/A 
Affected Components: Effective Risk Management PROTECTED ASSETS

feature Azure AD Conditional Access Named Locations - 16:00 UTC

Description: Added "Azure AD Conditional Access Named Locations" support in the compliance engine and protected assets.
Case ID: IN-7812
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

feature Azure AD Conditional Access Policies - 16:00 UTC

Description: Added "Azure AD Conditional Access Policies" support in the compliance engine and protected assets.
Case ID: IN-7813
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

IMPROVEMENT AWS RDS - 16:00 UTC

Description: Added support for ‘iamDatabaseAuthenticationEnabled’ property in AWS RDS in Compliance Engine & Protected Assets.
Case ID: IN-6979
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS API

fixed GenericFinding - missing CIEM findings - 13:00 UTC

Description: Fixed Large CIEM events and findings are missed.
Case ID: DFT-2558
Known limitations: N/A 
Affected Components: compliance RUNNERS

improvement Service account export shows 'now' for all last used values - 13:00 UTC

Description: Update testing following sanity test fails to improve stability and improve performance
Case ID: PLAT-8359
Known limitations: N/A 
Affected Components: ui

fixed Service account export shows 'now' for all last used values - 13:00 UTC

Description: Corrected string 'now' to account.lastUsed in “src/app/users-management/service-accounts/service-accounts.ctrl.js“
Case ID: DFT-2481
Known limitations: N/A 
Affected Components: ui

fixed Remove old Protected Assets page - 13:00 UTC

Description: Removed old protected asset page for all users and set the new one as default.
Case ID: PLAT-8306
Known limitations: N/A 
Affected Components: ui

IMPROVEMENT Compliance Rulesets Update - 10:30 UTC

Description: The first release of the AKS CIS v1.3.0 Ruleset; New Azure CIS rules; DFT fix; A complete list can be found here.

Rule Deprecation D9.AZU.MON.03 : Property in azure is no longer supported/exists

Rule Deprecation D9.AWS.LOG.09: Duplicate Rule

Case ID: IN-7890, DFR-2802, DFT-2597, DFT-2367
Known limitations: N/A 
Affected Components: COMPLIANCE RULESETS

fixed KMS keys in China region - 11:00 UTC

Description: KMS keys in China region were not updated.
Case ID: DFT-2547
Known limitations: N/A 
Affected Components:

FEATURE AWS S3 Multi-Region Access Point - 11:00 UTC

Description: Added data fetching for S3 multi-region Access Points using ListMultiRegionAccessPoints AWS API.
Case ID: SEC-1073
Known limitations: N/A
Affected Components: fetchers

fixed Azure Firewall - 10:30 UTC

Description: The value of hubIpAddresses property in Azure Firewall entity was empty. Fixed it to contain the data.
Case ID: SEC-1013
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE FETCHERS

fixed Fix severe latency in Environments widget - 15:30 UTC

Description: Fixed a wrong condition that forced the filterPanel to change for every environment.
Case ID: DFT-2512, DFT-2539
Known limitations: N/A 
Affected Components: UI

FEATURE Added OCI Autonomous Database to billable assets - 13:30 UTC

Description: Added OCI Autonomous Database to billable assets.
Case ID: IN-7362
Known limitations: N/A 
Affected Components: protected assets

fixed Cloud IAM role API call timeout fix - 13:30 UTC

Description: For customers with a large number of IAM roles the API call (https://api.dome9.com/v2/CloudIamRole) resulted with an error. This issue is now fixed.
Case ID: DFT-2454
Known limitations: N/A 
Affected Components: api

fixed Email | Remove Dome9 name/reference from notifications - 17:30 UTC

Description: All of cloudGuard Emails are now being sent under CheckPoint Domain (@checkpoint.com), where it was previously under dome9 domain (@dome9.com) except User gets Locked and Account Created using MSP
Email Display name is now "CloudGuard Checkpoint" or "CloudGuard Reporter" where it had been changed from (''dome9" or "do-not-reply")
Email Subject of CloudGuard scheduled reports notifications now start with "CloudGuard" as they previously started with "dome9".
Case ID: DFT-2002, PLAT-5106
Known limitations: N/A 
Affected Components: api

Feature Risk Management AWS S3 Bucket - IAM Exposure support - 13:30 UTC

Description: Added a new measurement for AWS S3 Bucket that shows their IAM exposure (Public/Private).
Case ID: SEC-1042, SEC-1003, SEC-442
Known limitations: N/A 
Affected Components: Effective Risk Management

fixED Protected Assets - Search API - 09:00 UTC

Description: Fixed an issue with the aggregations counter in protected-assets search API.
Case ID: SEC-1060
Known limitations: N/A 
Affected Components: PROTECTED ASSETS

feature New Regions Support in AWS - 14:00 UTC

Description: Added support for new regions in AWS in Compliance Engine and Protected Assets: Hyderabad (ap-south-2), Jakarta (ap-southeast-3), Melbourne (ap-southeast-4), Zurich (eu-central-2) & Spain (eu-south-2).
Case ID: DFR-2729, DFR-2680
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

IMPROVEMENT Azure Storage Account - 13:30 UTC

Description: Added support for ‘keyPolicy’ and ‘encryption.requireInfrastructureEncryption’ properties in Azure Storage Account in Compliance Engine & Protected Assets.
Case ID: IN-7478
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

IMPROVEMENT Azure Key Vault - 13:30 UTC

Description: Added support for ‘enableRbacAuthorization’ property in Azure Key Vault in Compliance Engine & Protected Assets.
Case ID: IN-7493
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

feature AWS Document DB - 13:30 UTC

Description: Added support for "AWS Document DB" in Compliance Engine and Protected Assets - 4 new entities were added: DocDbCluster, DocDbClusterSnapshot, DocDbGlobalCluster, DocDbInstance.
Case ID: IN-7623
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS FETCHERS

IMPROVEMENT Compliance Rulesets Update - 10:00 UTC

Description: New AWS rules; DFT fix; Support for the EKS autopilot ruleset. A complete list can be found here.

Case ID: IN-7818, DFT-2479
Known limitations: N/A 
Affected Components: COMPLIANCE RULESETS

fix Azure AD Access Reviews Schedule Definition assessment failure - Bug fix - 8:00 UTC

Description: Fixed a bug that caused assessments failures related to Azure ADAccessReviewsScheduleDefinition.

Case ID: DFT-2587
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE

FEATURE AWS S3 Access Point - 12:30 UTC

Description: Added data fetching for S3 Access Points using ListAccessPoints AWS API.
Case ID: SEC-1038
Known limitations: N/A
Affected Components: fetchers

IMPROVEMENT AC default policy - 16:00 UTC

Description: Switch AC default policy to the new default ruleset. Admission Control default policy has been updated to include only high value security rules, and reduced alerts.
Case ID: CON-5606
Known limitations: N/A
Affected Components: Containers

improvmenet Return time zone - 14:30 UTC

Description: Return time zone in iso date format from the APIs. A complete list can be found here.
Case ID: CON-5665
Known limitations: N/A
Affected Components: Containers

improvmenet RP partial profiling code - 14:30 UTC

Description: Deploy RP partial profiling code. A complete list can be found here.
Case ID: CON-5678
Known limitations: N/A
Affected Components: Containers

improvmenet Agent status report CSV api - 14:30 UTC

Description: Agent status report CSV api. A complete list can be found here.
Case ID: CON-5720
Known limitations: N/A
Affected Components: Containers

improvmenet Allow offboarding through old controller (Terraform) - 14:30 UTC

Description: Allow offboarding through old controller (Terraform). A complete list can be found here.
Case ID: CON-5736.
Known limitations: N/A
Affected Components: Containers

improvmenet UI- Containers - 14:30 UTC

Description: Workloads Images redesign, Kubernetes Version in Environment Table. A complete list can be found here.
Case ID: CON-5805
Known limitations: N/A
Affected Components: Containers

IMPROVEMENT Azure Container Registration - 16:00 UTC

Description: Added new property under “properties“ called “anonymousPullEnabled” to Azure ContainerRegistry entity.
Case ID: DFR-2129
Known limitations: N/A
Affected Components: fetchers COMPLIANCE ENGINE PROTECTED ASSETS

FEATURE ERM data is now available for GSL via the riskModifiers property - 14:30 UTC

Description: We have added support for adding ERM related condition in the GSL. Each entity will have its relevant ERM data available through the “riskModifiers” property.
Case ID: SEC-1016
Known limitations: N/A
Affected Components: GSL