Prisma Cloud lets you audit security-related activity on hosts protected by Defender.
Runtime rules specify the type of activity to capture.
The default host runtime rule, Default - alert on suspicious runtime behavior, assesses interactive user activity.
You can create additional runtime rules to control which type of events are captured on which hosts.
The following types of activity can be assessed and captured.
General user activities
— Processes run in interactive sessions that could raise security concerns.
Interactive sessions are children of sshd.
Activities include: service restart, service install, service modified, cron modified, system update, system reboot, package source modified, package source added, iptables changed, secret modified, login, accounts modified, and sensitive files modified.
— Processes run by services on the host that could raise security concerns.
Activities include: service restart, service install, service modified, cron modified, system update, system reboot, package source modified, package source added, iptables changed, secret modified, accounts modified, and sensitive files modified.
— Docker commands that alter state:
Read-only Docker events
— When you configure Prisma Cloud to capture Docker commands, you can optionally capture commands that simply read state.
These include docker ps and docker images.
— New sessions spawned by sshd.
— Commands run with sudo or su.
Whereas Defender’s runtime system surfaces suspect activity by sifting through events, Defender’s forensics system presents a raw list of all spawned processes.
Enabling audits for local events
To enable audits for host activity, create a new host runtime rule.
After making your changes, you can view all audits in
Monitor > Events
Auditing begins after a rule is created.
Any events that occurred before the rule was created are not recorded.