Runtime Audits

This document summarizes all the runtime audits (detections) that are available in Prisma Cloud Compute. For each detection, you can learn more about what it actually detects, how to enable or disable it, avoid false positives, relevant workloads (Containers, Hosts, Serverless and App-embedded), and if the audit also generates an incident.

Runtime detections for processes

Detection
Context
Audit message
Triggers an incident
Workloads
Unexpected Process
Indicates when a process that is not part of the runtime model was spawned.
  • Avoid audits for specific known and allowed processes, by adding the process name to the runtime rules processes
    Allowed
    list.
  • In order to add the processes to the model, navigate to the relevant model under
    Monitor > Runtime > Container
    models, then click on
    …​
    and select
    Extend learning
  • <process> launched but is not found in the runtime model
  • <process> launched from <parent process> but is not found in the runtime model
Containers
Port Scanning Process
Indicates a process was spawned, that is identified as being used for port scanning.
  • Enable and disable this detection via the
    Port scanning
    toggle, under the Runtime rule Processes tab
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rule processes
    Allowed
    list.
<process> launched and is identified as a process used for port scanning
Containers
Explicitly Denied Process
Indicates that a process listed in the
Denied & fallback
list was spawned.
  • For App-embedded and Serverless, this indicates that a process that is not listed in the
    Allowed
    list was spawned
<process> launched and is explicitly denied by runtime rule. Full command <command>
Containers, Host, Serverless, App-embedded
Modified Process
Indicates a modified process was spawned. A modified process is a process whose binary was created or modified after the container was started.
  • Enable and disable this detection via the
    Processes started from modified binaries
    toggle, under the Runtime rule Processes tab
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
A modified executable <process> was launched
Containers, App-embedded
Altered Binary
Indicates that a package binary file was replaced during image build. This detection will generate an audit when a process is started from an altered binary.
  • Enable and disable this detection via the
    Processes started from modified binaries
    toggle, under the Runtime rule Processes tab
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
<process path> launched and is detected as an altered or corrupted package binary. The file metadata doesn’t match what’s reported by the package manager.
Containers, App-embedded
Crypto Miner Process
Indicates a process that is identified as a crypto miner was spawned.
  • Enable and disable this detection via the
    Crypto miners
    toggle, under the Runtime rule Processes / Anti-malware tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
<process> launched and is identified as a crypto miner. Full command: <path>
Containers, Hosts, Serverless, App-embedded
Lateral Movement Process
Indicates a process that is used for lateral movement was spawned.
  • Enable and disable this detection via the
    Processes used for lateral movement
    toggle, under the Runtime rule Processes tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
<process> launched and is identified as a process used for lateral movement. Full command: <path>
Containers
Temporary File System Process
Indicates that a process is running from a temporary file system.
  • Enable and disable this detection via the
    Processes running from temporary storage
    toggle, under the Runtime rule Anti-malware tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
<process> launched from a temporary file storage, which usually indicates malicious activity.
Hosts
Policy Hijacked
Indicates that the Prisma Cloud process policy was hijacked
Possible tampering of Defender policy detected.
Serverless
Reverse Shell
Indicates that a process was identified as running a reverse shell
  • Enable and disable this detection via the
    Reverse shell attacks
    toggle, under the Runtime rule Processes / Anti-malware tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
<processes> is a reverse shell . Full command: <path>
Containers, Hosts
Suid Binaries
Indicates that a process is running with high priviliges, by watching for binaries with the setuid bit that are executed.
  • Enable and disable this detection via the
    Processes started with SUID
    toggle, under the Runtime rule Processes tab.
<process> launched and detected as a process started with SUID. Full command: <path>
Containers
Unknown Origin Binary by service
Indicates detection of binaries created by a service without a package manager.
  • Enable and disable this detection via the
    Non-packaged binaries created or run by service
    toggle, under the Runtime rule Anti-malware tab.
  • You can also select to
    Suppress detection for binaries created by compilation tools
    , to ignore binaries that are created by a specific compilation tool.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
<process path> launched from a binary file which was written by <creating process path> that is not known OS distribution package manager.
Hosts
Unknown Origin Binary by user
Indicates detection of a binary created by a user without a package manager.
  • Enable and disable this detection via the
    Non-packaged binaries created or run by user
    toggle, under the Runtime rule Anti-malware tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
<process path> launched from a binary file which was written by <creating process path> that is not known OS distribution package manager.
Hosts
Web Shell
Indicates that the process was launched by a web shell
  • Enable and disable this detection via the
    Webshell attacks
    toggle, under the Runtime rule Anti-malware tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
<process path> suspected to be launched by a webshell at <path>
Hosts

Container general runtime detections

Detection
Context
Audit massage
Trigger an incident
Workloads
Cloud Metadata Probing
Indicates the container is trying to access a cloud provider metadata server.
  • Enable and disable this detection via the
    Suspicious queries to cloud provider APIs
    toggle, under the Runtime rule Anti-malware tab
Container queried provider API at <address>
Containers
Kubelet API Access
Indicates that a container is trying to access the Kubelet main API.
  • Enable and disable this detection via the
    Kubernetes attacks
    toggle, under the Runtime rule Anti-malware tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
Container queried kubelet API at <address>
Containers
Kubelet Readonly Access
Indicates that a container is trying to access the Kubelet readonly API.
  • Enable and disable this detection via the
    Kubernetes attacks
    toggle, under the Runtime rule Anti-malware tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
Container queried kubelet readonly API at <address>
Containers
Kubectl Spawned
Indicates the kubectl process was spawned from the container.
  • Enable and disable this detection via the
    Kubernetes attacks
    toggle, under the Runtime rule Anti-malware tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.
kubelet launched inside a container
Containers
Kubectl Downloaded
Indicates that the kubectl binary was downloaded and written to the disk.
  • Enable and disable this detection via the
    Kubernetes attacks
    toggle, under the Runtime rule Anti-malware tab.
  • Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes
    Allowed
    list.