Incident Explorer

Incident Explorer elevates raw audit data to actionable security intelligence, enabling a more rapid and effective response to incidents. Rather than having to manually sift through reams of audit data, Incident Explorer automatically correlates individual events generated by the firewall and runtime sensors to identify unfolding attacks.
Audit events generated as a byproduct of an attack rarely occur in isolation. Attackers might modify a configuration file to open a backdoor, establish a new listener to shovel data out of the environment, run a port scan to map the environment, or download a rootkit to hijack a node. Each of these attacks is made up of a sequence of process, file system, and network events. Prisma Cloud’s runtime sensors generate an audit each time an anomalous event outside the allow-list security model is detected. Incident Explorer sews these discrete events together to show the progression of a potential attack.
To learn more about the challenges of incident response in cloud native environments, and how Prisma Cloud can help, see this webinar recording.

Viewing incidents

To view incidents, go to
Monitor > Runtime > Incident Explorer
. Click on an incident to examine the events in the kill chain. Clicking on individual events shows more information about what triggered the audit. After you have examined the incident, and have taken any necessary action, you can declutter your workspace by archiving the incident.
Only one incident from the same type (port scanning, altered binary, etc.) will be initiated for the same resource (container, host, etc.) every 24 hours. Further incidents from this type for the same resource will be automatically suppressed for 24 hours.
All the raw audit events that comprise the incident can be found in the audit data tab. To see the individual events and export the data to a CSV file, go to
Monitor > Events > Container audits / Host audits / App-Embedded audits
Incident Explorer is organized to let you quickly access the data you need to investigate an incident. The following diagram shows the contextual data presented with each incident:
  • (1) Story
     — Sequence of audits that triggered the incident.
  • (2) Image, container, and host reports
     — Scan reports for each resource type. Scan reports list vulnerabilities, compliance issues, and so on.
  • (3) Connections
     — Incident-specific radar that shows all connections to/from the container involved in the incident. Its purpose is to help you assess risk by showing you a connection graph for the compromised asset.
  • (4) Documentation
     — Detailed steps for investigating and mitigating every incident type.
  • (5) Forensics
     — Supplemental data collected and stored by Defender to paint a better picture of the events that led to an incident.


Prisma Cloud Forensics is a lightweight distributed data recorder that runs alongside all the containers in your environment. Prisma Cloud continuously collects detailed runtime information to help incident response teams understand precisely what happened before, during, and after a breach.
Forensic data consists of additional supplemental runtime events that complement the data (audits) already captured by Prisma Cloud’s runtime sensors. It provides additional context when trying to root cause an incident. Each Defender collects and stores forensic data in a fixed-sized first-in-first-out log file on the host where it runs. Forensic data is only downloaded to Console when it’s needed for an incident investigation. This architecture enables Defender to store large amounts of data without any impact on network bandwidth or