Runtime defense for processes
Prisma Cloud provides runtime protection to ensure that processes that run in your environment meet the parameters of the learned models and the rules defined in Console. This article provides more information on the options available for tailoring the monitoring and response within the runtime rules.
Prisma Cloud ships with a rule named
Default - alert on suspicious runtime behaviorthat enables runtime protection for processes by default. You can further refine your policy by creating additional custom rules that target specific resources, enable or disable protection features, and define exceptions to the automatically generated whitelist models.
New runtime rules can be created in Console in
Defend > Runtime > Container Policy. Click
Add rule, specify a rule name and scope in the
Generaltab, then select the
Processestab to define how Prisma Cloud handles new processes in running containers.
For more information on how rules are applied, and how models and rules are combined to create a resultant policy, see the article on runtime defense.
When behavior is detected that deviates from your runtime policy (resultant from the combination of your container model and your rules), Prisma Cloud Defender takes action. For processes, the Defender can be set into one of four modes.
- Disable— Defender doesn’t provide any protection for processes.
- Alert— Defender raises alerts when it detects process activity that deviates from your defined runtime policy. These alerts are visible inMonitor > Events > Container Audits.
- Block— Defender stops the entire container if a process that violates your policy attempts to run.
Note that besides taking action on processes outside of the whitelist model, Defender also takes action when existing binaries that have been modified are executed. For example, an attacker might replace httpd (Apache) with an older version that can be exploited. Prisma Cloud raises alerts for each of the following cases:
- A modified binary is executed,
- A modified binary listens on a port,
- A modified binary makes an outbound connection.
Prisma Cloud can detect anomalous process activity. These features can be independently enabled or disabled.
Detect processes used for lateral movement
Prisma Cloud can detect processes, such as netcat, known to facilitate lateral movement between resources on a network. If detected, a lateral movement incident type is created in Incident Explorer. When this option is enabled, Defender takes action on this type of incident according to the configured effect.
Detect parent child process relationships
As part of the model, Prisma Cloud learns what processes are invoked, and the parent processes that triggered the invocation. If this option is enabled, Defender can act on processes that are invoked by a parent other than that which is specified by the model. This action may show up as an audit in a number of different incident types in Incident Explorer.
Explicitly allowed and denied processes
The fields for
Explicitly allowed processesand
Explicitly denied processeslet you tailor runtime models to whitelist and blacklist which processes are allowed to run. Processes can be listed by name or MD5 hash.
Recommended For You
Recommended videos not found.