December 2023

FEATURE DSPM Data Classifications - 11:00 UTC

Description:

• Added support for Data Classifications in the Compliance Engine for entities: S3Bucket, StorageAccount, CosmosDbAccount, PostgreSQL and MySQLDBSingleServer.

• The possible values are: PII, PCI, PHI, Credentials, Other.

• Values are set according to the findings and classifications generated by AWS Macie and Azure Purview services.

Case ID: CNAPP-5975
Known limitations: N/A
Affected Components: DSPM COMPLIANCE ENGINE

IMPROVEMENT AWS CloudFront - 16:05 UTC

Description: Added new property to the AWS CloudFront entity: ‘WAFGlobalV2 ’.

Case ID: DFR-3079
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature AWS WAF Global V2 - 16:05 UTC

Description: Added support for “AWS WAF Global V2” entity in compliance engine and protected assets.

Case ID: DFR-3079
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature AWS Verified Access Instance - 16:05 UTC

Description: Added support for “AWS Verified Access Instance” entity in compliance engine and protected assets.

Case ID: CNAPP-5858
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

IMPROVEMENT Hide unsupported Azure services in China - 14:30 UTC

Description: Remove from the UI all the Azure services which are not support in China.
Case ID: CNAPP-5258
Known limitations: N/A 
Affected Components: UI

IMPROVEMENT Compliance Rulesets Update - 12:00 UTC

Description: New Rulesets Australia Essential 8 for AWS and Azure; New Rulesets CMMC 2.0 for AWS and Azure; New Rulesets CRI Profile for AWS and Azure; New Rulesets NY DFS 23 CRR 500 for AWS and Azure; New AWS and AZURE rules. A complete list can be found here.

Case ID: CNAPP-5921, DFT-3042
Known limitations: N/A 
Affected Components: COMPLIANCE RULESETS

FEATURE GCP Entities labels are now available in the finding Search API - 09:30 UTC

Description: added GCP entities lables to the finding search API
Case ID: CNAPP-3787, DFR-2052
Known limitations: N/A 
Affected Components: API

FEATURE Posture Finding - Added Support for Exclusion By Region - 09:30 UTC

Description: We have added an option to exclude by region, in posture finding exclusion.
Case ID: CNAPP-3487, DFR-3152
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE

FEATURE Risk Management - Network Exposure - 09:30 UTC

Description: Azure FunctionApp support for Network Exposure in Protected Assets and Compliance Engine.
Case ID: CNAPP-4803
Known limitations: N/A 
Affected Components: RISK MANAGEMENT COMPLIANCE ENGINE PROTECTED ASSETS

feature Azure Machine Image Details - 8:05 UTC

Description: Added machine image details to the Azure Virtual Machine protected assets API, under “Additional Fields”.

Added a new property to the “VirtualMachine“ entity: 'machineImage.id'

Added a new property to the “VMSSInstance“ entity: ‘machineImage.id’.

Case ID: CNAPP-3135
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature Azure Cognitive Search - 8:05 UTC

Description: Added support for Azure Cognitive Search Service in Compliance Engine and Protected Assets.

Case ID: CNAPP-4903
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature Azure Virtual Machine Image - 8:05 UTC

Description: Added support for Azure VirtualMachineImage entity in Compliance Engine and Protected Assets

Case ID: CNAPP-4905
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

FIXED Invalid permissions removal - AWS onboarding - 08:00 UTC

Description: Some invalid permissions that was included in the AWS Onboarding CFT was removed.
Case ID: DFT-3209
Known limitations: N/A
Affected Components: onboarding

feature Fix IamRole Entity Type in Findings - 21:30 UTC

Description: Fix an issue with assigning IamRole entity type in findings as Default.
Case ID: DFT-3009, CNAPP-4270
Known limitations:
Affected Components: COMPLIANCE ENGINE

feature Azure Virtual WAN - 8:40 UTC

Description: Added support for Azure Virtual WAN entity in Compliance Engine and Protected Assets, as a new entity: VirtualWAN.

Case ID: CNAPP-4233
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature Azure Static Web App site - 8:40 UTC

Description: Added support for Azure Static Web App site entity in Compliance Engine and Protected Assets, as a new entity: StaticWebAppSite.

Case ID: CNAPP-5629
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature Azure Load Testing - 8:40 UTC

Description: Added support for Azure Load Testing in Compliance Engine and Protected Assets, as a new entity: LoadTest.

Case ID: CNAPP-4230
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature 2.26.0: RP file reputation, Fedora Core OS - 09:30 UTC

Description: Runtime Protection: daemon 1.11.5, probe 0.30.2-cp-6.

• Improved File Reputation Blade for Reduced False Positives

• Support Fedora Core OS.

Affected Components: CloudGuard Workload Protection agents.
Case ID: CON-7773
Known limitations: N/A
Affected Components: containers

FIXED Risk Management - Risk Levels - 09:30 UTC

Description: Adjusted risk levels and colors for environments and assets risk score.
Case ID: CNAPP-5514, CNAPP-5502
Known limitations: N/A
Affected Components: API UI Risk Management

FIXED Protected Assets API - 08:10 UTC

Description: Fixed a filtering issue when combining ‘Organizational Units’ and ‘CVEs’ filters.
Case ID: CNAPP-5846
Known limitations: N/A
Affected Components: API

IMPROVEMENT Intelligence findings notification output fields - 14:40 UTC

Description: Extend Intelligence findings notification output with additional fields from Intelligence logs.
Case ID: DFR-2363 , CNAPP-299
Known limitations: N/A
Affected Components: Intelligence Notification

FIXED OCI Compute Instance - 14:40 UTC

Description: Fixed a bug in OCI Compute Instance entity where “timeCreated” property was in a wrong format, this issue was fixed and now this field is treated as date.
Case ID: DFT-3203
Known limitations: N/A
Affected Components: COMPLIANCE ENGINE

feature OCI MySql Service - 14:00 UTC

Description: Added support for Oracle cloud MySql service in Compliance Engine and Protected Assets. The following entities were added:

• MySqlBackup

• MySqlDbSystem

• MySqlConfiguration

• MySqlChannel.

Case ID: DFR-2915
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

FIXED UI | Dashboard | Cannot export to PDF - 14:40 UTC

Description: Fix the issue that export to PDF got stuck if section was empty
Case ID: DFT-3196
Known limitations: N/A
Affected Components: ui

FIXED UI | Findings | CIEM Findings - cannot 'close' CIEM source findings - button should be grayed out - 14:40 UTC

Description: ‘close’ button is grayed out for CIEM findings
Case ID: DFT-2657
Known limitations: N/A
Affected Components: ui

FIXED Fix Azure onboarding wizard description - 14:40 UTC

Description: update wizard description to match Azure UI
Case ID: DFT-2825
Known limitations: N/A
Affected Components: ui

FIXED GCP IAM Group - 12:00 UTC

Description: Fixed a bug where clicking on a GCP IAM group under protected assets page led to an error and redirection to the index page, now clicking the protected assets link open the GCP IAM Group entity page as expected.
Case ID: DFT-3109
Known limitations: N/A
Affected Components: PROTECTED ASSETS

FIXED AWS DMS Endpoints reduced API calls - 12:00 UTC

Description: Reduced the amount of API calls performed to get data.
Case ID: DFT-3215
Known limitations: N/A
Affected Components: PROTECTED ASSETS

feature Azure Dedicated Host Group - 9:20 UTC

Description: Added support for Azure Dedicated Host Group entity in Compliance Engine and Protected Assets

Case ID: CNAPP-5533
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature Azure NetApp Files - 9:20 UTC

Description: Added support for Azure NetAppAccount entity in Compliance Engine and Protected Assets

Case ID: CNAPP-4236
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

IMPROVEMENT Compliance Rulesets Update - 9:00 UTC

Description: New AWS and AZURE rules. A complete list can be found here.

Case ID: CNAPP-5784, DFT-3090, DFT-3143
Known limitations: N/A 
Affected Components: COMPLIANCE RULESETS

FIXED Compliance Trend Change History widget – display in 1x1 widget tile size is not well presented with trend stats not cleanly displayed - 13:40 UTC

Description: Present Compliance Trend Change History widget in the dashboard in a better way
Case ID: DFT-2998
Known limitations: N/A
Affected Components: ui

FIXED New dashboards - Filter panel - missing filters - 13:40 UTC

Description: Add additionalFields and Is Public filters to protected assets widget
Case ID: CNAPP-5310
Known limitations: N/A
Affected Components: ui

feature Azure Orbital Spacecraft - 9:40 UTC

Description: Added support for Azure Orbital Spacecraft in Compliance Engine and Protected Assets.

Case ID: CNAPP-4232
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

FIXED Azure BatchAccount - 09:40 UTC

Description: Fixed the “BatchAccount” entity’s schema for GSL Builder and Compliance Engine.
Case ID: IN-8470
Known limitations: N/A
Affected Components: COMPLIANCE ENGINE

feature Azure Data Migration Service - 9:40 UTC

Description: Added support for 2 Azure Data Migration Service entities in Compliance Engine and Protected Assets:

• Data Migration.

• Data Migration Classic.

Case ID: CNAPP-4229
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature Azure Log Analytics - 9:40 UTC

Description: Added support for Azure Log Analytics as a new entity: LogAnalyticsCluster.

Case ID: CNAPP-5524
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature GCP Organization Policy - 9:40 UTC

Description: Added support for the GCP Organization Policy service.

• A new entity: AvailableOrgPolicyConstraint

• A new property to the “Project” entity: orgPolicies[].

• A new property to the “Folder” entity: orgPolicies[].

• A new property to the “GcpOrganization” entity: orgPolicies[].

Case ID: DFR-2863
Known limitations:
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

IMPROVEMENT AWS ECS Task - 14:30 UTC

Description: Added new property to the AWS ECS Task entity: ‘SecurityGroups’ - an array of the security groups that are attached to the ENI of the current Task.

Case ID: DFT-3028, IN-8494
Known limitations:
Affected Components: COMPLIANCE ENGINE

IMPROVEMENT AWS Security Group - 14:30 UTC

Description: Aws Security Group now includes network assets statistics on ECS Task. Can be found under ‘networkAssetsStats' where type = “EcsTask”.

Case ID: DFT-3028
Known limitations:
Affected Components: COMPLIANCE ENGINE

feature Azure Policy Set Definition - 12:40 UTC

Description: Added support for Azure Policy Set Definition (initiatives definition).

Case ID: DFR-2913
Known limitations: N/A
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

IMPROVEMENT AWS Config Rule - 12:40 UTC

Description: Added a new property ‘compliance’ to AWS “ConfigRule“ entity.

Case ID: DFR-2895
Known limitations:
Affected Components: COMPLIANCE ENGINE

IMPROVEMENT Compliance Rulesets Update - 11:00 UTC

Description: New Ruleset CSA CCM v4.0 for GCP; New Ruleset MLPS 2.0 for AWS; New AWS and AZURE rules. A complete list can be found here.

Case ID: CNAPP-5586, DFT-3097, DFT-3118
Known limitations: N/A 
Affected Components: COMPLIANCE RULESETS

feature Azure Data Share - 8:40 UTC

Description: Added support for Azure Data Share as a new entity: DataShareAccount.

Case ID: CNAPP-5458, DFR-2978
Known limitations: N/A
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

IMPROVEMENT GCP KMS - 8:40 UTC

Description: Added property to the GCP KmsKeyRing entity: ‘cryptoKeys[].protectionLevel’.

Case ID: DFR-2521
Known limitations:
Affected Components: COMPLIANCE ENGINE api

feature GCP Organization - 8:40 UTC

Description: Added support for GCP Organization as a new entity: GcpOrganization.

Case ID: DFR-2964
Known limitations: Only organizations that are visible to the service account will appear. Requires to set a policy binding on the organizational level with a view permission for the service account.
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

fix Azure fetching for China - 15:00 UTC

Description: Fix support for Azure China in all Azure entities.
Case ID: CNAPP-5254
Known limitations: Phase 1 of the fix, not all of the entities supported for China yet.
Affected Components: fetchers

IMPROVEMENT Aws DaxCluster - 15:30 UTC

Description: Added support for SecurityGroup property in AWS Dax Cluster in Compliance Engine.

Case ID: DFR-2722
Known limitations: This property can be used to query the securityGroup property and to pass/fail the rule according to it, but currently not visible in the Entity Viewer in the UI.
Affected Components: COMPLIANCE ENGINE

IMPROVEMENT Azure VirtualMachine - 06:00 UTC

Description: Added support for the following NIC properties: ‘dnsSettings’, ‘nicType’, ‘workloadType’, and ‘privateLinkService’ in Azure VirtualMachine entity.

Case ID: DFR-2840
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE PROTECTED ASSETS

FEATURE Risk Management - Data Sensitivity - 11:00 UTC

Description: Risk Management supports Data Sensitivity indication for Azure PostgreSQL and MySQLDBSingleServer using Azure Purview data.
Case ID: CNAPP-4977
Known limitations: N/A
Affected Components: DSPM RISK MANAGEMENT PROTECTED ASSETS COMPLIANCE ENGINE

feature Risk Management - Network Exposure - 09:00 UTC

Description: Azure FunctionApp Support for Network Exposure in Protected Assets and Compliance Engine.
Case ID: CNAPP-4804
Known limitations: N/A 
Affected Components: Risk Management COMPLIANCE ENGINE PROTECTED ASSETS

FIXED Permissions for AWS onboarding page - 07:30 UTC

Description: Fixed missing permissions from AWS Organization onboarding, added missing permissions to regular onboarding instructions and fixed needed permissions for Sage Maker Notebook.
Case ID: CNAPP-4277
Known limitations: N/A
Affected Components: onboarding

feature AWS Timestream Query - 10:45 UTC

Description: Added support for AWS Timestream Query entity in Compliance Engine and Protected Assets.

Case ID: DFR-2414
Known limitations: N/A
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature Azure Batch - 10:45 UTC

Description: Added support for Azure BatchAccount entity in Compliance Engine and Protected Assets.

Case ID: CNAPP-4227
Known limitations: N/A
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature Azure Event Grid - 10:45 UTC

Description: Added support for Azure EventGridNamespace entity in Compliance Engine and Protected Assets.

Case ID: DFR-2837
Known limitations: N/A
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature Azure Compute Gallery - 10:45 UTC

Description: Added support for Azure Compute Gallery in Compliance Engine and Protected Assets.

Case ID: CNAPP-4228
Known limitations: N/A
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

feature GCP Folder - 10:45 UTC

Description: Added support for GCP Folder in Compliance Engine and Protected Assets.

Case ID: DFR-2963
Known limitations: Only folders that are visible to the service account will appear. Requires to set a policy binding on the folder's level with a view permission for the service account.
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

IMPROVEMENT GCP AppEngine - 10:45 UTC

Description: Added support for GCP Identity-Aware Proxy as new properties in AppEngine: “iapSettings”.

Case ID: DFR-2971
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

IMPROVEMENT GCP BackendService - 10:45 UTC

Description: Added support for GCP Identity-Aware Proxy as new properties in BackendService: “iapAccessSettings” and “iapApplicationSettings“.

Case ID: DFR-2971
Known limitations: N/A 
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS

IMPROVEMENT Compliance Rulesets Update - 11:00 UTC

Description: CSA CCM v4.0 for Azure enrichment; New AWS and AZURE rules. A complete list can be found here.

Case ID: CNAPP-5348, DFT-2970, DFT-2993, DFT-3045, DFT-3075, DFT-3100
Known limitations: N/A 
Affected Components: COMPLIANCE RULESETS

feature Workload Protection for Kubernetes: helm 2.25.0 - 11:00 UTC

Description: Image Assurance 2.27.0:

• Fix “Internal error” image scan errors: on nodes with containerd Container runtime configured to discard compressed image layers once they were unpacked. Affects GKE 1.27+ and all EKS with AMIs released after July 28 2023 

Admission Control Enforcer 2.10.0

• Fix escaping in GSL if regular expression defined.

Case ID: CON-7715
Known limitations: N/A
Affected Components: CONTAINERS

feature AWS Firewall Manager - 11:00 UTC

Description: Added support for AWS FirewallManagerAdminAccount and FirewallManagerPolicy entities in Compliance Engine and Protected Assets.

Case ID: CNAPP-3511
Known limitations: N/A
Affected Components: COMPLIANCE ENGINE FETCHERS PROTECTED ASSETS