Investigate Network Incidents with Prisma Cloud
Network queries help identify internet exposed services and detect potential risky configurations that may make your cloud environment vulnerable to attacks. Prisma Cloud identifies anomalies in ingested network traffic data using Machine Learning to help you conduct network investigation and analysis.
With Prisma Cloud you can query network traffic from VPC flow logs in extensive detail using pre-defined or custom queries. Set up queries for conditions you want to be alerted on, such as services that are exposed to the Internet, communicating with suspicious IPs or communicating outside of approved guardrails.
Network queries are based on varying RQL and data sources and can be of two types:
- VPC flow-logs queries- Searches for potential network issues with traffic to and from deployed resources.
- Cloud Network Configuration queries- Identifies net effective exposure with path analysis to help you visualize how traffic is allowed or blocked through cloud resources.
These queries help you monitor network traffic and explore the inter-connectivity of your cloud resources by account and region using data points such as: packets, bytes, source or destination resource, source or destination IP address, and source or destination port information. The following example is for investigating network incidents based on flow logs. To learn about investigating network exposure, see Investigate Network Exposure on Prisma Cloud.
Enter your queries in the Search bar. If the search expression is valid and complete, you can view the results of your query. You can choose to save the searches that you have created for investigating incidents in
My Saved Searches
. Use these queries for future reuse, instead of typing the queries all over again. You can also use the Saved Searches to create a policy. Saved Searches
has list of search queries saved by any user.Use the
Download
button to get network traffic details for your entire network, a node or an instance, or for a specific connection between a source and a destination node in a CSV format, on the top right hand corner over the graph. This report groups all connection details by port and includes details such as source and destination IP addresses and names, inbound and outbound bytes, inbound and outbound packets, and whether the node accepted the traffic connection.The
Intelligent Investigate Graph
brings traffic into context by automatically grouping assets into their parent relationships. For every IP address associated with a Prisma Cloud monitored asset, the graph automatically builds a top down hierarchy based on the following:
This provides a visual representation of where an asset is deployed, how critical that environment is and if flows represent a risk or anomaly requiring further investigation.
Flows are further separated into two different swimlanes:
- External → Flows coming from/going to unmanaged IPs
- Your Environment → Flows coming from/going to assets known to Prisma Cloud
External IPs are grouped by a parent related to the specific IP CIDR block or Threat Feed.
Supported groups are:
- AWS → Public IPs associated to an AWS Service
- AZURE → Public IPs associated to an AWS Service
- GCP → Public IPs associate to a GCP Service
- Suspicious IPS → Public IPs associate with a Threat List
- Internet → All other public IPs
Using the Intelligent Network Investigation Graph
To get started with Network queries in Prisma Cloud, navigate to
Home > Investigate
from the Prisma Cloud administrative console. Use a network from query to investigate an asset or a relationship.Enable the Intelligent Network Graph button in the upper right-hand corner. The
Intelligent Graph
automatically groups all matching flows under its proper parent.
Zoom into a query to dig in further or refine your query to match a specific asset of interest.
Groups with three or less child objects are automatically expanded. Double click outside a group to collapse it.
Analyzing Network Flows
To analyze a specific network traffic of interest, expand the graph to the asset level. Select a connecting line between the External IP and the asset of interest. Click on the
View Details
link. On the Connection Details
screen to display an aggregated visualization of all flows between the selected asset and its related source(s) or destination(s). If the traffic is from a suspicious IP address as characterized by a threat feed, additional details for the threat feed source, such as when it was classified and reason for classification is also provided.
If the sidecar is empty, you may need to click on a a parent group and not an individual asset.
If you have an AutoFocus license, you can select the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the
Investigate
page.
On the
Connection Details
screen you can also select the Download
button on the top right-hand corner to download a CSV file of the details of your network, node, instance, or a specific connection between a source and a destination node. This report groups all connection details by port and includes details such as source and destination IP addresses and names, inbound and outbound bytes, inbound and outbound packets, and whether traffic connection was accepted.