Investigate Audit Incidents on Prisma Cloud
Use event queries to investigate audit data.
Prisma Cloud ingests various services and associated user and event data from AWS, Azure, and GCP cloud services. You can investigate console and API access, monitor privileged activities and detect account compromise and unusual user behavior in your cloud environment.
To investigate audit data you can use Event queries. To build Event RQL queries, enter your query in the Search; use the auto-suggest for the attribute
json.rulewith the operators
IN, (auto suggestion is not available for array objects). If the search expression is valid and complete, you can see a green check mark and results of your query. You can choose to save the searches that you have created for investigating incidents in
My Saved Searches. Use these queries for future reuse, instead of typing the queries all over again. You can also use the Saved Searches to create a policy.
Saved Searcheshas list of search queries saved by any user in the system.
After you run event search queries, you can view the results in
Trending View, or in
Map View. By default you can see the details in the Table view. To pick the columns in the Table view, use the Column Picker on the Right hand corner.
From the table view, select
View Event Detailsto see the resource configuration details.
To analyze your Audit events offline, you can download the event search details in a CSV format, click
Downloadon the right hand corner.
Trending Viewto see the results in a timeline. Single click the bubble to view the results for a given timeline. Double click the bubble to drill down further.
Map Viewto see a World map with pinpoints to the locations where there are activities and anomalies. You can view usual activities and anomalous activities to their specific locations. Single click on the bubble in the map view to view results for the given location. Double click on the bubble in the map view to drill down further.
Investigate audit incidents on RedLock
Investigate Audit Incidents on RedLock RedLock ingests various services and associated user and event data from AWS, Azure, and GCP cloud services. You can investigate ...
Investigate config incidents on Prisma Cloud
Use config queries to investigate configuration incidents so that you can identify misconfigurations and compliance violations. ...
Investigate config incidents on RedLock
Investigate Config Incidents on RedLock RedLock ingests various services and associated configuration data from AWS, Azure, and GCP cloud services. You can retrieve resource information ...
Investigate Network Incidents on Prisma Cloud
Learn how to use Prisma Cloud to investigate network incidents. ...
investigate Network Incidents on Redlock
Investigate Network Incidents on Redlock RedLock ingests and monitors network traffic from cloud services and allows customers to query network events in their cloud environments. ...
View Administrator Activity Logs
Monitor the activity and changes made by administrators on Prisma SaaS by viewing admin activity logs. ...
Investigate Incidents on Prisma Cloud
Learn how to use Prisma Cloud to investigate config, audit, and network incidents. ...
Use the Cortex XDR – Investigation and Response Interface
Get started with the Cortex XDR – Investigation and Response interface. ...
You can track incidents, assign analysts to investigate, and document the resolution. ...