Use Prisma Cloud to Investigate Network Incidents

Learn how to use Prisma Cloud to investigate network incidents.
Prisma Cloud ingests and monitors network traffic from cloud services and allows you to query network events from VPC flow logs. You can detect when services, applications or databases are exposed to the internet and if there are potential risky configuration that expose you to security issues such as data exfiltration attempts. Network queries are currently supported for AWS, Azure and GCP.
Network queries are of two types—configuration-based and flow-log-based. Both use different RQL and data sources; data from VPC flow logs enable you to search for potential network issues with traffic to and from deployed resources, and data from the configuration provides network exposure with path analysis to help you visualize how traffic is allowed or blocked through the cloud resources. By using packets, bytes, source or destination resource, source or destination IP address, and source or destination port information, these queries enable you to monitor traffic and the interconnectivity of the resources that belong to your cloud accounts and regions. As an example, with Network flow log queries you can use both source port and or destination port, the common usage is the
dest. port
attribute, and in Network config queries you can use the destination protocol and ports because from a configuration analysis perspective, source ports are ephemeral in nature.
The following example is for investigating network incidents based on flow logs. To learn about investigating network exposure, see Investigate Network Exposure on Prisma Cloud.
Enter your queries in the Search. If the search expression is valid and complete, you can view the results of your query. You can choose to save the searches that you have created for investigating incidents in
My Saved Searches
. Use these queries for future reuse, instead of typing the queries all over again. You can also use the Saved Searches to create a policy.
Saved Searches
has list of search queries saved by any user.
Use the
button to get network traffic details for your entire network, a node or an instance, or for a specific connection between a source and a destination node in a CSV format, on the top right hand corner over the graph. This report groups all connection details by port and includes details such as source and destination IP addresses and names, inbound and outbound bytes, inbound and outbound packets, and whether the node accepted the traffic connection
To see the details of a network resource, click the resource and view
Instance Summary
Network Summary
, or
Alert Summary
To see the accepted and rejected traffic, use the
Traffic Summary
link within Network Summary. Note that the attempted bytes count displays traffic that is either denied by the security group or firewall rules or traffic that was reset by a host or virtual machine that received the packet and responded with a RST packet.
To view details of a connection, click the connection and click
View Details
. If the traffic is from a suspicious IP address as characterized by a threat feed, you get more details on the threat feed source, when it was classified and reason for classification.
And if you have an AutoFocus license, you can click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the

Recommended For You