Bulk Operation Support

You can now perform actions (i.e., Resolve, Unresolve, Ignore, or Unignore) on multiple alerts simultaneously by selecting the checkbox on the Alerts table.

See image.

To learn more, see About Alerts and Ignoring or Resolving Alerts.

Cloud Alert Drawer Enhancements

The cloud alert drawer now allows you to:

• View properties, remediation, and compliance associated with the cloud alert.
• Perform actions (i.e., Resolve, Unresolve, Ignore, or Unignore), depending on the cloud alert status.

See image.

To learn more, see About Alerts.

On the Asset Timeline tab, you can now:

• View the changes on the cloud asset, investigate incidents, and perform potential root cause analysis of the same. For Amazon Web Services (AWS), you can also view the account ID and request parameters during resource state creation or update.

  See image.

  

  Close

• View the alerts triggered by the events as part of the data collection activity. Users can now figure out what led to a violation or incident by looking at the preceding events captured in the timeline.

  See image.

  

  Close

To learn more, see About Cloud Asset Details.

ZPC now supports the audit logs feature and records session information for every administrator who signs in to the ZPC Admin Portal. The audit logs provide a chronological list of activities performed by users in the tenants that are onboarded to ZPC.

See image.

To learn more, see About Audit Logs.

You can now ignore alerts that are triggered for a specific policy violation when the issue is not critical and does not require immediate action.

See image.

You can also create ignore filters to ignore newly triggered alerts.

See image.

To learn more, see About Alerts and Ignoring or Resolving Alerts.

Added the following security policies for cloud service providers:

• Amazon Web Services

  Security Policy Title
  EC2 instance is vulnerable to a OpenSSL high severity vulnerability
  Internet-facing EC2 instance is vulnerable to a OpenSSL high severity vulnerability

  Close
• Microsoft Azure

  Security Policy Title
  Ensure that Diagnostics logs enabled with storage account have a retention period of at least 365 days for Azure Key Vaults
  Ensure that Diagnostics logs enabled with storage account have a retention period of at least 365 days for Azure Kubernetes Service
  Ensure that Resource Locks are set for mission critical Azure resources
  Ensure that Soft Delete is enabled for Key Vault
  Ensure that diagnostics settings should be enabled on Application Gateway
  Ensure that Logging is enabled for Azure Key Vault
  Ensure that diagnostic settings should be enabled for SQL managed instance service
  Ensure that 'Public access level' is set to Private for Blob Containers
  Ensure web app has 'Client Certificates (Incoming client certificates)' set to 'On'
  Internet-facing Virtual Machine is vulnerable to a OpenSSL high severity vulnerability
  Virtual machine is vulnerable to a OpenSSL high severity vulnerability

  Close

To learn more, see About Security Policies.

You can add, edit, or delete custom roles and set permissions for users to access or manage specific modules in the ZPC Admin Portal.

See image.

To learn more, see Adding a Custom Role, Editing a Role, and Deleting a Custom Role.

You can export the Cloud or IaC alert data to an Excel file and download the report.

See image.

To learn more, see About Alerts and Downloading Reports.

The following enhancements are now available for ZPC filters:

• ZPC offers filter management. You can save a filter, and edit and delete a saved filter.

See image.

• ZPC offers new filters for security policies:
  • Policy Severity: Returns security policies of specific severity (Critical, High, Medium, or Low).
  • Theme: Returns security policies of specific theme (Compliance, Security Events, or Security Exposure).
  • Policy Threat Category: Returns security policies of specific threat category (Ransomware, Misconfiguration, or Account takeover).
  • MITRE ATT&CK: Returns security policies of a specific MITRE technique.
  • Policy State: Returns enabled or disabled security policies.
  • Allow Skip: Returns security policies that have Allow Skip enabled.
• ZPC offers new filters for Microsoft Azure compliance benchmarks:
  • Resource Group: Returns compliance benchmark details for a specific resource group.
  • Tags: Returns compliance benchmark information for assets with specific tags.

To learn more, see Using Filters.

You can view the list of alerts triggered for misconfigurations detected in your IaC infrastructure in the following tabs:

• Scans: Lists the scans completed for an alert.
• Policies: Lists the policies for an alert.
• All: Lists all the alerts.

See image.

To learn more, see About Alerts.

Supported Functions

Zscaler IaC Scan can parse the following functions:

• The Date and Numeric functions in ARM templates are supported.
• The Date, Time, and File System functions in Terraform templates are supported.

To learn more, see About IaC Templates and Supported Functions.

Reauthorization of IaC Integrations

You can reauthorize the IaC integration with Azure DevOps and GitLab in the event the authorization has expired or if the integration was unintentionally revoked.

To learn more, see Configuring IaC Scan for GitLab and Configuring IaC Scan for Azure Repos.

Advanced Settings for Terraform Cloud Integration

You can use the Advanced Settings for Terraform Cloud integration and select the severity level for failing a build.

See image.

To learn more, see Configuring IaC Scan for Terraform Cloud.

Authentication for Visual Studio and CLI

Authentication for Visual Studio Code and command-line interface (CLI) now launches into the browser and supports users mapped to multiple tenants.

To learn more, see Configuring IaC Scan for Visual Studio and Configuring the IaC CLI Scanner.

Remediation Procedure in IDE/CLI

The remediation procedure is now available within the Visual Studio integrated development environment (IDE) window and the command-line interface (CLI) along with the option to access the alert details in the ZPC Admin Portal. This enables developers to follow the remediation steps and easily resolve the misconfigurations and policy violations.

To learn more, see Configuring IaC Scan for Visual Studio and Configuring the IaC CLI Scanner.

Added the following security policies for cloud service providers:

• Amazon Web Services

  Security Policy Title
  EC2 Instance is running an image with critical vulnerabilities
  Internet facing EC2 instance with role is running vulnerable image
  Internet facing EC2 instance with role is running a vulnerable image and enables IMDVs1
  Internet facing EC2 instance with a powerful role is running a vulnerable image
  Internet facing EC2 instance with a powerful role is running a vulnerable image and enables IMDVs1
  Internet facing EC2 instance with a role is running an image with critical vulnerabilities and enables IMDVs1
  Publicly-exposed EC2 instance running a vulnerable image has access to S3 bucket contains sensitive data
  Internet facing EC2 instance has a powerful role and is running an image with critical vulnerabilities and enables IMDVs1

  Close
• Microsoft Azure

  Security Policy Title
  Ensure that ADS - Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
  Ensure that 'HTTP Version' is the latest, if used to run the web app
  Ensure Azure Active Directory RBAC is enabled for Azure Kubernetes Services (AKS)
  Ensure the 'Allow access to Azure services' flag is disabled for SQL Server
  Ensure that 'Data encryption' is set to 'On' for SQL Databases
  Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  Ensure that data disks are encrypted for Linux Virtual Machines
  Ensure that data disks are encrypted for Windows Virtual Machines
  Ensure that operating system disks are encrypted for Linux Virtual Machines
  Ensure that operating system disks are encrypted for Windows Virtual Machines
  Ensure that periodic recurring scans is enabled for SQL server
  Ensure that 'Send scan reports to' is set for SQL Server
  Ensure storage for critical data are encrypted with Customer Managed Key
  Ensure SQL server's TDE protector is encrypted with BYOK
  Ensure that 'Also send email notification to admin and subscription owners' in Periodic recurring scan is enabled for SQL Server
  Ensure web app is using the latest version of TLS encryption
  Ensure that Azure Active Directory Admin is configured for SQL Server
  Ensure soft delete is enabled for Azure Storage
  Ensure that RDP access is restricted from the internet on NSG's
  Ensure that SSH access is restricted from the internet on NSG's
  Ensure that UDP Services are restricted from the Internet
  Ensure that diagnostics is enabled on Virtual Machine
  Ensure that 'Advanced Data Security' on a SQL server is set to 'On'
  Ensure that Diagnostics is enabled for SQL Databases
  Ensure that diagnostics log is enabled for Azure Data Lake Storage Gen2
  Ensure that diagnostics settings should be enabled on Express route circuit
  Ensure that diagnostics settings should be enabled on Front Door
  Ensure that diagnostics settings should be enabled on Traffic Manager Profile
  Internet facing virtual machine attached with a powerful managed identity and is running an image with critical vulnerabilities
  Internet facing virtual machine attached with a managed identity is running an image with critical vulnerabilities
  Internet facing virtual machine attached with a powerful managed identity is running a vulnerable image
  Internet facing virtual machine attached with a managed identity is running a vulnerable image
  Virtual machine Instance is running an image with critical vulnerabilities

  Close
• Google Cloud Platform

  Security Policy Title
  Internet facing virtual machine attached with a service account is running an image with critical vulnerabilities
  Internet facing virtual machine attached with a powerful service account is running a vulnerable image
  Internet facing virtual machine attached with a service account is running a vulnerable image
  Internet facing virtual machine attached with a powerful service account and is running an image with critical vulnerabilities

  Close

To learn more, see About Security Policies.

The Time Range filter is enhanced to include the following filter options:

• Last 12 hours: View the alerts that were generated or updated in the last 12 hours.
• Last day: View the alerts that were modified the previous day.
• Last week: View the alerts that were modified the previous week.
• Last month: View the alerts that were modified the previous month.
• Exact Date: View the alerts that are modified on the selected date.
• Custom Range: View the alerts that are modified on the selected date range along with time.

See image.

To learn more, see About Alerts.

On the Asset Type Details page (Cloud Assets > Asset Type), you can view the total number of alerts generated and vulnerabilities present for a specific cloud asset.

See image.

To learn more, see About Cloud Asset Type Details.

You can view all the Cloud Service Provider (CSP) events and activities performed on a cloud asset and also identify the modifier and the timestamp for when the asset was last modified.

See image.

To learn more, see About Cloud Asset Details.

Vulnerability scanning of Azure Linux workloads is supported with limited availability. You can enable the vulnerability scanning for specific instances within the cloud workload and schedule the scan to run at regular intervals.

See image.

You can view the list of alerts triggered for security policy violations that occur within your cloud resources in two tabs:

• All: Lists all the alerts.
• Policy: Lists alerts grouped by the policies.

See image.

To learn more, see About Alerts.

You can view the alert details for all the alerts related to a cloud asset.

See image.

To learn more, see About Cloud Asset Details.

You can view and export the list of all vulnerabilities associated with a cloud asset.

See image.

To learn more, see About Cloud Asset Details.

You can export the vulnerability scan results to an Excel file and download the report.

See image.

To learn more, see About Vulnerability Management.

ZPC provides support for the IaC scanning of push events in Microsoft Azure Repos. ZPC triggers a scan on push events and detects misconfigurations and policy violations.

See image.

Added the following security policies for cloud service providers:

• Microsoft Azure

  Security Policy Title
  Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
  Ensure FTP deployments are disabled for Web app
  Ensure FTP deployments are disabled for Mobile app
  Ensure that 'App Service Authentication' is enabled for Web apps
  Ensure that 'App Service Authentication' is enabled for Mobile Apps
  Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
  Ensure default network access rule for Storage Accounts is set to deny
  Ensure that 'Secure transfer required' is 'Enabled' for Storage Account
  Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers
  Ensure that 'Auditing' is set to 'On' for SQL Server
  Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
  Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
  Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
  Ensure that 'App Service Authentication' is enabled for Function Apps
  Ensure that 'App Service Authentication' is enabled for API Apps
  Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service

  Close
• Google Cloud Platform

  Security Policy Title
  Ensure that privileged service accounts do not have external keys that never expire
  Ensure virtual machine instances with powerful access permissions are not exposed to the internet

  Close
• Amazon Web Services

  Security Policy Title
  Ensure IAM users can either use password-based console access or access key based API access

  Close

You can integrate the Zscaler IaC Scan app with Terraform Cloud and scan run tasks in Terraform workspaces.

See image.

You can view descriptions of the following widgets on the Cloud Threats and Cloud Identities Dashboards to improve usability:

• Security Event & Attack Vector Alerts

  See image.

  

  Close

• Security Exposure Alerts

  See image.

  

  Close

• Top Power Categories

  See image.

  

  Close

To learn more, see About the Cloud Threats Dashboard and About the Cloud Identities Dashboard.