End-of-Life (EoL)
Runtime Audits
This document summarizes all the runtime audits (detections) that are available in Prisma Cloud Compute. For each detection, you can learn more about what it actually detects, how to enable or disable it, avoid false positives, relevant workloads (Containers, Hosts, Serverless and App-embedded), and if the audit also generates an incident.
Runtime detections for processes
Detection | Context | Audit message | Triggers an incident | Workloads |
---|---|---|---|---|
Unexpected Process | Indicates when a process that is not part of the runtime model was spawned.
|
| Containers | |
Port Scanning Process | Indicates a process was spawned, that is identified as being used for port scanning.
| <process> launched and is identified as a process used for port scanning | Containers | |
Explicitly Denied Process | Indicates that a process listed in the Denied & fallback list was spawned.
| <process> launched and is explicitly denied by runtime rule. Full command <command> | Containers,
Host,
Serverless,
App-embedded | |
Modified Process | Indicates a modified process was spawned. A modified process is a process whose binary was created or modified after the container was started.
| A modified executable <process> was launched | Containers,
App-embedded | |
Altered Binary | Indicates that a package binary file was replaced during image build. This detection will generate an audit when a process is started from an altered binary.
| <process path> launched and is detected as an altered or corrupted package binary. The file metadata doesn’t match what’s reported by the package manager. | Containers,
App-embedded | |
Crypto Miner Process | Indicates a process that is identified as a crypto miner was spawned.
| <process> launched and is identified as a crypto miner. Full command: <path> | Containers,
Hosts,
Serverless,
App-embedded | |
Lateral Movement Process | Indicates a process that is used for lateral movement was spawned.
| <process> launched and is identified as a process used for lateral movement. Full command: <path> | Containers | |
Temporary File System Process | Indicates that a process is running from a temporary file system.
| <process> launched from a temporary file storage, which usually indicates malicious activity. | Hosts | |
Policy Hijacked | Indicates that the Prisma Cloud process policy was hijacked | Possible tampering of Defender policy detected. | Serverless | |
Reverse Shell | Indicates that a process was identified as running a reverse shell
| <processes> is a reverse shell . Full command: <path> | Containers,
Hosts | |
Suid Binaries | Indicates that a process is running with high priviliges, by watching for binaries with the setuid bit that are executed.
| <process> launched and detected as a process started with SUID. Full command: <path> | Containers | |
Unknown Origin Binary by service | Indicates detection of binaries created by a service without a package manager.
| <process path> launched from a binary file which was written by <creating process path> that is not known OS distribution package manager. | Hosts | |
Unknown Origin Binary by user | Indicates detection of a binary created by a user without a package manager.
| <process path> launched from a binary file which was written by <creating process path> that is not known OS distribution package manager. | Hosts | |
Web Shell | Indicates that the process was launched by a web shell
| <process path> suspected to be launched by a webshell at <path> | Hosts |
Container general runtime detections
Detection | Context | Audit massage | Trigger an incident | Workloads |
---|---|---|---|---|
Cloud Metadata Probing | Indicates the container is trying to access a cloud provider metadata server.
| Container queried provider API at <address> | Containers | |
Kubelet API Access | Indicates that a container is trying to access the Kubelet main API.
| Container queried kubelet API at <address> | Containers | |
Kubelet Readonly Access | Indicates that a container is trying to access the Kubelet readonly API.
| Container queried kubelet readonly API at <address> | Containers | |
Kubectl Spawned | Indicates the kubectl process was spawned from the container.
| kubelet launched inside a container | Containers | |
Kubectl Downloaded | Indicates that the kubectl binary was downloaded and written to the disk.
| <process path> downloaded kubectl to container. | Containers |
Runtime detections for Network activities
Detection | Context | Audit massage | Trigger an incident | Workloads |
---|---|---|---|---|
Horizontal Port Scanning | Indicates horizontal port scanning detected
| Horizontal port scanning <process> to target IP <IP address> detected. Target ports <ports> | Containers | |
Vertical Port Scanning | Indicates vertical port scanning detected
| Vertical port scanning <process> to target IP <IP address> detected. Target ports <ports> | Containers | |
Explicitly Denied IP | Indicates that access to an IP address listed in the Denied & fallback list was detected.For App-embedded and Serverless, this indicates that access was detected to an IP address that is not listed in the Allowed list | Outbound connection <process> to IP <ip address> is explicitly denied by a runtime rule | Containers,
Hosts,
Serverless,
App-embedded | |
Custom Feed IP | Indicates detection of a connection to a high risk IP, based on a custom feed.
| Connect to <address> is high risk, based on custom IP feed. | Containers,
Hosts | |
Feed IP | Indicates a connection to a high risk IP, based on intelligence feed data.
| Connect to <address> is high risk. Intelligence stream categorizes <address> as <malware>. | Containers,
Hosts | |
Unexpected Outbound Port | Indicates detection of an outbound connection on a port that is not part of the runtime model.
|