Administrative activity audit trail

All Prisma Cloud administrative activities are logged.
Changes to any settings (including previous and new values), changes to any rules (create, modify, or delete), changes to the credentials (create,modify, or delete), and all logon activity (success and failure) are logged. For every event, both the user name and source IP are captured.
Audit records for App-Embedded runtime audits, Trust audits, Container network firewall audits, and Host network firewall audits are retained for up to 25,000 entries or 50 MB, whichever limit is met first.
For login activity, the following events are captured:
  • Every login attempt from the login page, including failures.
  • Every failed attempt to authenticate to the API. Successfully authenticated calls to the API are not recorded.
The full set of log data is available to anyone with a user role of auditor or higher.
To view the administrative history, open Console, then go to
Manage > Logs > History
Settings, credentials, and rule events show how a configuration has changed. You can review the API endpoint, and a diff of the previous and current JSON objects. The following screenshot shows the changes to a vulnerability management rule:
Use the API reference to view information on the API endpoint. The /api/22.01/policies/vulnerability/ci/images endpoint creates and modifies vulnerability rules for images scanned in the CI process. In this case, user name obscured has changed the threshold for the grace period for fixing Critical and High severity CVEs to 2 days and 4 days respectively after the vulnerability was published or disclosed.

Recommended For You