Investigate Audit Incidents on Prisma Cloud
Use event queries to investigate audit data.
Prisma Cloud ingests various services and associated user and event data from AWS, Azure, and GCP cloud services. You can investigate console and API access, monitor privileged activities and detect account compromise and unusual user behavior in your cloud environment.
Because Cloud Service Provider audit logs can be high volume, Prisma Cloud regularly evaluates these logs and filters them out if they are found to be of negligible security value; such logs are not persisted in Prisma Cloud and cannot be used in RQL queries.
To investigate audit data you can use Event queries. To build Event RQL queries, enter your query in the Search; use the auto-suggest for the attribute
json.rule
with the operators =
and IN
, (auto suggestion is not available for array objects). If the search expression is valid and complete, you can see a green check mark and results of your query. You can choose to save the searches that you have created for investigating incidents in My Saved Searches
. Use these queries for future reuse, instead of typing the queries all over again. You can also use the Saved Searches to create a policy. Saved Searches
has list of search queries saved by any user in the system.After you run event search queries, you can view the results in
Table View
, Trending View
, or in Map View
. By default you can see the details in the Table view. To pick the columns in the Table view, use the Column Picker on the Right hand corner.
From the table view, select
View Event Details
to see the resource configuration details.event from cloud.audit_logs where cloud.type = 'aws' AND crud IN ( 'create', 'delete' ) AND json.rule = $.awsRegion = 'us-east-1'
To analyze your Audit events offline, you can download the event search details in a CSV format, click
Download
on the right hand corner.Select
Trending View
to see the results in a timeline. Single click the bubble to view the results for a given timeline. Double click the bubble to drill down further.
Select
Map View
to see a World map with pinpoints to the locations where there are activities and anomalies. You can view usual activities and anomalous activities to their specific locations. Single click on the bubble in the map view to view results for the given location. Double click on the bubble in the map view to drill down further.
