Runtime Audits
Table of Contents
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Prisma Cloud Container Images
- Kubernetes
- Deploy the Prisma Cloud Console on Amazon ECS
- Console on Fargate
- Onebox
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Container Service (ACS) with Kubernetes
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- IBM Kubernetes Service (IKS)
- OpenShift v4
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Runtime Audits
This document summarizes all the runtime audits (detections) that are available in Prisma Cloud Compute. For each detection, you can learn more about what it actually detects, how to enable or disable it, avoid false positives, relevant workloads (Containers, Hosts, Serverless and App-embedded), and if the audit also generates an incident.
Runtime detections for processes
Detection | Context | Audit message | Triggers an incident | Workloads |
|---|---|---|---|---|
Unexpected Process | Indicates when a process that is not part of the runtime model was spawned.
|
| Containers | |
Port Scanning | Indicates a process was spawned, that is identified as being used for port scanning. | <process> launched and is identified as a process used for port scanning | Containers | |
Explicitly Denied Process | Indicates that a process listed in the Denied & fallback list was spawned.
| <process> launched and is explicitly denied by runtime rule. Full command <command> | Containers,
Host,
Serverless,
App-embedded | |
Modified Process | Indicates a modified process was spawned. A modified process is a process whose binary was created or modified after the container was started.
| A modified executable <process> was launched | Containers,
App-embedded | |
Altered Binary | Indicates that a package binary file was replaced during image build. This detection will generate an audit when a process is started from an altered binary.
| <process path> launched and is detected as an altered or corrupted package binary. The file metadata doesn’t match what’s reported by the package manager. | Containers,
App-embedded | |
Crypto Miner Process | Indicates a process that is identified as a crypto miner was spawned.
| <process> launched and is identified as a crypto miner. Full command: <path> | Containers,
Hosts,
Serverless,
App-embedded | |
Lateral Movement Process | Indicates a process that is used for lateral movement was spawned.
| <process> launched and is identified as a process used for lateral movement. Full command: <path> | Containers | |
Temporary File System Process | Indicates that a process is running from a temporary file system.
| <process> launched from a temporary file storage, which usually indicates malicious activity. | Hosts | |
Policy Hijacked | Indicates that the Prisma Cloud process policy was hijacked | Possible tampering of Defender policy detected. | Serverless | |
Reverse Shell | Indicates that a process was identified as running a reverse shell
| <processes> is a reverse shell. Full command: <path> | Containers,
Hosts | |
Suid Binaries | Indicates that a process is running with high privileges, by watching for binaries with the setuid bit that are executed.
| <process> launched and detected as a process started with SUID. Full command: <path> | Containers | |
Unknown Origin Binary by service | Indicates detection of binaries created by a service without a package manager.
| <process path> launched from a binary file which was written by <creating process path> that is not known OS distribution package manager. | Hosts | |
Unknown Origin Binary by user | Indicates detection of a binary created by a user without a package manager.
| <process path> launched from a binary file which was written by <creating process path> that is not known OS distribution package manager. | Hosts | |
Web Shell | Indicates that the process was launched by a web shell
| <process path> suspected to be launched by a webshell at <path> | Hosts |
Container general runtime detections
Detection | Context | Audit message | Trigger an incident | Workloads |
|---|---|---|---|---|
Cloud Metadata Probing | Indicates the container is trying to access a cloud provider metadata server.
| Container queried provider API at <address> | Containers | |
Kubelet API Access | Indicates that a container is trying to access the Kubelet main API.
| Container queried kubelet API at <address> | Containers | |
Kubelet Readonly Access | Indicates that a container is trying to access the Kubelet readonly API.
| Container queried kubelet readonly API at <address> | Containers | |
Kubectl Spawned | Indicates the kubectl process was spawned from the container.
| kubelet launched inside a container | Containers | |
Kubectl Downloaded | Indicates that the kubectl binary was downloaded and written to the disk.
| <process path> downloaded kubectl to container. | Containers |
Runtime detections for Network activities
Detection | Context | Audit message | Trigger an incident | Workloads |
|---|---|---|---|---|
Horizontal Port Scanning | Indicates horizontal port scanning detected
| Horizontal port scanning <process> to target IP <IP address> detected. Target ports <ports> | Containers | |
Vertical Port Scanning | Indicates vertical port scanning detected
| Vertical port scanning <process> to target IP <IP address> detected. Target ports <ports> | Containers | |
Port scanning | Indicates a process was spawned, that is identified as being used for port scanning.
| <process> launched and is identified as a process used for port scanning | Containers | |
Explicitly Denied IP | Indicates that access to an IP address listed in the Denied & fallback list was detected.For App-embedded and Serverless, this indicates that access was detected to an IP address that is not listed in the Allowed list | Outbound connection <process> to IP <ip address> is explicitly denied by a runtime rule | Containers,
Hosts,
Serverless,
App-embedded | |
Custom Feed IP | Indicates detection of a connection to a high risk IP, based on a custom feed.
| Connect to <address> is high risk, based on custom IP feed. | Containers,
Hosts | |
Feed IP | Indicates a connection to a high risk IP, based on intelligence feed data.
| Connect to <address> is high risk. Intelligence stream categorizes <address> as <malware>. | Containers,
Hosts | |
Unexpected Outbound Port | Indicates detection of an outbound connection on a port that is not part of the runtime model.
| Outbound connection to an unexpected port: <destination port> IP: <destination ip> | Containers | |
Unexpected Listening Port | Indicates a container process is listening on a port that is not part of the runtime model.
| Process <process path> is listening on unexpected port <port> | Containers | |
Suspicious Network Activity | Indicates detection of a process performing raw socket usage.
| Process <process name> performed suspicious raw network activity, <attack>
| Containers | |
Explicitly Denied Listening Port | Indicates a container process is listening on a port that is explicitly listed in the Listening ports list, under Denied & fallback .For App-embedded, this indicates ports that are not listed in the Allowed Listening ports list, or they are on the denied list. | Process <process name> is listening on port <port> explicitly denied by a runtime rule | Containers,
Hosts,
Serverless,
App-embedded | |
Explicitly Denied Outbound Port | Indicates a container process uses an outbound port that is explicitly listed in the Outbound internet ports list under Denied & fallback .For App-embedded, this indicates ports that are not listed in the Outbound ports list under Allowed , or they are on the denied list. | Outbound connection <process> to port <destination port> (IP: <destination ip>) is explicitly denied by a runtime rule. | Containers,
Hosts,
Serverless,
App-embedded | |
Listening Port Modified Process | Indicates a container modified process is listening on an unexpected port.
| Container process <process> was modified and is listening on unexpected port | Containers | |
Outbound Port Modified Process | Indicates a container modified process opened an outbound port.
| Outbound connection by modified process <process> to port: <destination port> IP: <destination IP> | Containers | |
Feed DNS | Indicates a DNS resolution query for a high risk domain, based on an intelligence stream.
| <domain name> identified as high risk. Intelligence feed categorizes this domain as <malicious category> | Containers,
Hosts | |
Explicitly Denied DNS | Indicates a DNS resolution query for a blacklisted domain, that is explicitly listed in the Domains list, under Denied & fallback in the Networking tab.For App-embedded and Serverless, this indicates domains that are not listed in the Allowed Domains list.
| DNS resolution of domain name <domain name> triggered by <process path> explicitly denied by runtime rule. | Containers,
Hosts,
Serverless,
App-Embedded | |
DNS Query | Indicates a DNS resolution query of a domain name that is not part of the runtime model.
| DNS resolution of suspicious name <domain name>, type <domain type> | Containers |
Runtime detections for File system activities
Detection | Context | Audit message | Trigger an incident | Workloads |
|---|---|---|---|---|
Administrative Account | Indicates that an administrative account file was accessed. Changes to such files can be related to backdoor attacks.
| <process name> wrote to administrative accounts configuration file <path> | Containers,
App-Embedded | |
SSH Access | Indicates that an ssh config file was accessed
| <process name> wrote to SSH configuration file <path> | Containers,
App-Embedded | |
Encrypted Binary | Indicates that an encrypted binary was written to disk, by checking the binary entropy.
| <process name> wrote a suspicious packed/encrypted binary to <path>. Packing/encryption can conceal malicious executables. | Containers,
Hosts,
App-Embedded | |
Explicitly Denied File | Indicates that a file listed in the File system Denied & fallback list was accessed. | <process name> changed explicitly monitored file <path> | Containers,
App-Embedded | |
Malware File Custom | Indicates that a file that is identified as malware, based on a custom feed, was accessed.
| <process name> created <file path> which was detected as <malware name> malware in the custom malware feed | Containers,
Hosts,
App-Embedded | |
Malware File Feed | Indicates that a file that is identified as malware, based on the intelligence stream, was accessed.
| Process <process name> created the file <file path> which was detected as malicious. Intelligence feed identifies the file as <malware name> | Containers,
Hosts | |
Executable File Access | Indicates that an executable file was written.
| <process name> changed the binary <file path> | Containers,
App-Embedded | |
ELF File Access | Indicates that an ELF file, that is not part of the runtime model, was modified.
| <process name> changed the binary <file path> | Containers,
App-Embedded | |
Secret File Access | Indicates that a file containing sensitive key material, that is not part of the runtime model, was written.
| <process name> created a key file at <file path> | Containers,
App-Embedded | |
Regular File Access | Indicates that a regular file, that is not part of the runtime model, was created.
|
| Containers,
Serverless,
App-Embedded | |
WildFire Malware detection | Indicates that a file detected by WildFire as malware was written to the file system. To enable or disable WildFire:
| Process <process name> created the file <file name> with MD5 <MD5>. The file created was detected as malicious. Report URL: <report url> | Containers,
Hosts,
App-Embedded | |
Unknown Origin Binary | Indicates that a binary file was written by a process that is not a known OS distribution package manager.
| <process name> which is not a known OS distribution package manager wrote the binary <path> | Hosts | |
Web Shell | Indicates that a file written to disk was detected as a web shell.
| <process name> wrote the file <file path> that was detected as a web shell. | Hosts | |
File Integrity | Indicates that file integrity detection was audited.
| Hosts | ||
Malware Downloaded | Indicates when a binary that has an architecture not supported by PC Compute Defender, is written to disk by a file download utility (“wget”, “curl”, etc.). PC Compute Defender supports the x86_64 architecture.
| Suspected malicious ELF file <file path> downloaded by process <process name> that is spawned by service <service name> [
For interactive audits, should include: <audit message> and user <user> ]
<audit message>. Incompatible process architecture <architecture>. | Containers,
Hosts,
App-Embedded | |
Suspicious ELF Header | Indicates that an ELF file with suspicious malware indicators in the header was created. The ELF header can indicate that the file was modified with anti-analysis techniques, which is used often by malware to avoid detection.
| Suspected malicious ELF file <file path>. File headers indicate anti-analysis techniques have been used to modify the file, which is used often by malware to avoid detection. | Containers,
Hosts,
App-Embedded | |
Execution Flow Hijack Attempt | Indicates a possible attempt to hijack program execution flow. For example, an audit will be generated when a process writes to /etc/ld.so.preload.
| Binary <process name> wrote to <file path>. File /etc/ld.so.preload is a special Linux system file that impacts the entire system. Libraries specified in this file are preloaded for all programs that are executed in the system. | Hosts |