Prisma Cloud ingests various services
and associated user and event data from AWS, Azure, and GCP cloud
services. You can investigate console and API access, monitor privileged
activities and detect account compromise and unusual user behavior
in your cloud environment.
To investigate audit data you can use Event queries. To build Event RQL queries, enter
your query in the Search; use the auto-suggest for the attribute
(auto suggestion is not available for array objects). If the search
expression is valid and complete, you can see a green check mark
and results of your query. You can choose to save the searches that
you have created for investigating incidents in
My Saved Searches
Use these queries for future reuse, instead of typing the queries
all over again. You can also use the Saved Searches to create a
has list of search
queries saved by any user in the system.
After you run event search queries, you can view the results
. By default you can see the
details in the Table view. To pick the columns in the Table view,
use the Column Picker on the Right hand corner.
From the table view, select
View Event Details
see the resource configuration details.
event from cloud.audit_logs where cloud.type = 'aws' AND crud IN ( 'create', 'delete' ) AND json.rule = $.awsRegion = 'us-east-1'
To analyze your Audit events offline, you can download the event
search details in a CSV format, click
the right hand corner.
to see the results
in a timeline. Single click the bubble to view the results for a
given timeline. Double click the bubble to drill down further.
to see a World map with
pinpoints to the locations where there are activities and anomalies.
You can view usual activities and anomalous activities to their
specific locations. Single click on the bubble in the map view to
view results for the given location. Double click on the bubble
in the map view to drill down further.