When your runtime models aren’t completely tuned, you can get a barrage of false positive.
It’s difficult for operators to parse through so many audits, especially when most of it is noise.
And the volume and rate of audits can degrade your system.
To address the problem, Console presents a cross-section of the most important audits, while dropping redundant audits.
Prisma Cloud collects, collates, and throttles audits on a per-profile (model) basis, with a maximum of 100 audits per profile, sorted by recency.
Every audit is categorized by Type and Attack Type, where a Type can have one or more Attack Types.
For example, the Network Type has the following Attack Types (not a complete list):
DNS query of a high risk domain based on data in the Intelligence Stream.
DNS resolution of a blacklisted domain.
Unexpected Listening Port
Container process is listening on an unexpected port.
When there’s a large number of incoming audits, Prisma Cloud temporarily applies throttling.
When more than five audits of the same Attack Type are received over a short period of time, those audits are dropped.
A running count of all audits (dropped and not dropped) is updated periodically.
If no audits are received after a grace period, throttling is disabled.
Throttling is reset every 24 hours.
That is, if throttling is applied for all day 0, and five audits of a given attack have already been received, then no new audits for that Attack Type are displayed for 24 hours.
At the 24 hour period mark, throttling is disabled, and any new audits are collected, collated, and presented, until throttling is reapplied.
Throttling is applied to audits in the following systems:
Monitor > Events > Container Audits
Monitor > Events > Host Audits
Monitor > Events > Cloud Native App Firewall
Monitor > Events > Cloud Native Network Firewall
Monitor > Events > CNAF for Hosts
Monitor > Events > CNNF for Hosts
Note that a comprehensive list of audits can always be found in the Defender logs.
If syslog and/or stdout integration is enabled, all audits are always emitted there too.
Finally, if you set up alerts on all container runtime rules, you’ll get all audits to your alert channel; nothing is dropped or throttled.
Finally, if audits are being throttled, it’s a symptom of a larger issue.
You should tune your runtime models.