Prisma Cloud lets you audit security-related activity on hosts protected by Defender.
Runtime rules specify the type of activity to capture.
The default host runtime rule, Default - alert on suspicious runtime behavior, assesses interactive user activity.
You can create additional runtime rules to control which type of events are captured on which hosts.
The following types of activity can be assessed and captured.
— Docker commands that alter state:
Read-only Docker events
— When you configure Prisma Cloud to capture Docker commands, you can optionally capture commands that simply read state.
These include docker ps and docker images.
New sessions spawned by sshd
Commands run with sudo or su
Log activity from background apps
— Processes run by services on the host that could raise security concerns.
Activities include: service restart, service install, service modified, cron modified, system update, system reboot, package source modified, package source added, iptables changed, secret modified, accounts modified, and sensitive files modified.
Whereas Defender’s runtime system surfaces suspect activity by sifting through events, Defender’s forensics system presents a raw list of all spawned processes.
Enabling audits for local events
To enable audits for host activity, create a new host runtime rule.
After making your changes, you can view all audits in
Monitor > Events
Auditing begins after a rule is created.
Any events that occurred before the rule was created are not recorded.