Runtime defense for hosts

Without secure hosts, you cannot have secure containers. Host machines are a critical component in the container environment, and they must be secured with the same care as containers. Prisma Cloud Defender collects data about your hosts for monitoring and analysis.
Runtime host protection is designed to continuously report an up-to-date context for your hosts. You can set detection for malware, network, log inspection, file integrity, activities and custom events. Some of the detected events can only be alerted on, while others can be prevented.

Host runtime policy

By default, Prisma Cloud ships with an empty host runtime policy. An empty policy disables runtime defense entirely.
Creating a new rule enables runtime defense. When Defender is installed, it automatically starts collecting data about the underlying host. To create a rule, open Console, go to
Defend > Runtime > Host Policy
, and click
Add rule
. Create new rules to enhance host protection.
  • Rules are assigned with names to provide an indication of target of each rules.
  • The scope of each rule is determined by the collection assigned to that rule.
  • Prisma Cloud uses rule order and pattern matching to determine which rule to apply for each workload.
Anti-malware provides a set a capabilities that lets you alert or prevent malware activity and exploit attempts.
action for detection of file system events requires a Linux kernel version 4.20 or later.


Global settings

  • Alert/prevent processes by path
     — Provides the ability to alert on or prevent execution of specific processes based on the processes name or the full path of binary from which the process is executed. Some of the common tools are available for easy addition by selecting their category.
  • Allow processes by path
     — Provides the ability to mark processes as safe to use based on the process name or full path. Processes added to this list will not be alerted on or prevented by any of the Malware runtime capabilities.
    The above two fields are evaluated together to create a resultant policy:
    Final allowed paths
    Allow paths
    Alert/prevent paths

Anti-malware and exploit prevention settings

  • Crypto miners
     — Apply specific techniques for detection of crypto miners, alert on file creation, and alert or prevent their execution.